Deception for proactive defense
Proactive and balanced defense
For many years, enterprise cyber security was primarily reactive. That is, a network perimeter was established to prevent attacks, and if a breach occurred, then response activities were initiated. Typical cyber response activities would include perimeter adjustments, vulnerability remediation, and damage containment. The methodology of prevent, detect, and respond (in that order) has thus driven cyber security design for most teams.
This methodology is fine, so long as balance exists across the tasks. For example, it is obviously better to prevent something than to deal with its consequences, but this is not always possible. Each task thus plays a role in enterprise security. The problem is that in many recent cases, the emphasis has tilted toward response – often called a “shift right” in the methodology. Such reactive emphasis stems from the incredible advances that have occurred in offense methods.
One consequence of this shift is an increase in passive methods that are activated post-compromise. Sadly, this is unacceptable for mission-critical operations, where damage to critical infrastructure cannot be allowed. The good news is that many security teams today are opting to shift back toward a more balanced view of the cyber defense lifecycle. Deception, as we will explain in this article, plays a central role in this more proactive and balanced approach.
Cyber deception, as most practitioners understand, involves strategically using landmines and lures with breadcrumbs to trap an attacker. The deception can be viewed as reactive, because it prompts behavior for monitoring, but it can also be viewed as proactive, because it diverts breach activity away from production resources. In addition, good deception allows security teams to be alerted quickly when policy violations are detected.
Deception provides balance because it is useful during all aspects of the prevent, detect, and respond lifecycle. For example, during all these tasks, deception captures attacker TTP (Tactics, Techniques, Procedures) information and valuable forensics. The resulting threat intelligence helps isolate infected systems, block attackers, identify early indicators, and support the security operations center (SOC) hunt team in their response work.
The result of deploying deception is that enterprise security teams can be both proactive and reactive in their defensive approach to modern cyber threats. Organizations can also keep the pressure on the adversary during all phases of their attack lifecycle and leverage threat intelligence that is collected during early reconnaissance information, which is vital to derailing and remediating cyber attacks.
Strategies for deploying deception are driven by an organization’s architecture, environment, and risk appetite. Modern deception technology platforms provide excellent options for covering a diversity of enterprise needs. For example, deceptive traps can be easily embedded into environments such as user networks, data centers, public and private clouds, remote office locations, and in other specialized environments.
Design options also cover a range of targets, from legacy devices to the most modern architectures in the cloud with server-less and container deployments. Additional deception services for application, data, and database deception can be deployed into the enterprise, thus increasing the attractiveness of the investment, and providing maximum detection benefits for organizations with the lowest risk thresholds.
From a practical perspective, however, decisions about the best locations for deception should follow a risk management process. That is, an enterprise should be utilizing knowledge and insights about their actual cyber security risks to drive proper placement of deception. Other considerations include factoring in the protection of legacy assets that may, for technical or business reasons, not readily receive the latest and best security updates.