Deception Spooktacular: Let’s Get in Character
Written by: Carolyn Crandall, Chief Deception Officer – I often speak to people with different levels of familiarity with deception technology. Given one’s background, experience, and interests, these conversations can be quite varied. With that in mind and in the spirit of Halloween, I thought it might be fun to describe deception technology through the eyes of other characters who use deception. So here we go with Deception Spooktacular: Let’s Get in Character.
Let’s start with what a typical description would be if we spoke“Geek.”
Deception technology creates various levels of traps and lures throughout a network that are designed to attract an attacker into engaging and revealing their presence. It does this with decoys that appear as a mirror match to production assets and bait that looks like credentials, SMB shares, and other applications or data of interest. It goes so far as to create decoys that appear as endpoints, servers, serverless cloud functions, containers, IoT devices, Industrial Control Systems, Point-of-Sale systems, routers, printers, and more. This maze of deception quickly derails threat activity, makes an attacker distrust their tools, and negatively impacts the economics of an attack.
Now let’s speak “Wolf.”
Deception starts by blending into an environment, the proverbial wolf in sheep’s clothing. As a wolf, you dress up to appear like the other sheep in the herd. You are meticulous in how you blend in. Your match the size, the color of your wool, and the breed of sheep. Next, you would behave in ways that would be attractive to your predator.Note: Since deception is non-disruptive to standard operations, no sheep are harmed in the use of the technology.
It’s Halloween and time for candy, so what if I were a Jelly Bean?
Jelly beans are a small bean-shaped candy sold in a variety of colors and flavors. The experience generally rewards people with a sweet-tasting treat. Cherry, Root beer, Lemon Lime, how can you go wrong? Deception is very similar to the BeanBozzled challenge, which is known as the Russian Roulette of candy games. Each box is filled with both delicious and strange flavors, with the catch that you cannot tell what you’re going to get until you eat it. Deception works the same way in that a threat actor cannot tell the difference between a decoy and a production device or a fake vs. real credential until it is too late. The simplest sampling of the deception candy will trigger an alert that lets one know that unauthorized behavior is occurring. The fun part is also that an attacker gets a sour treat of fake information and the unfortunate outcome of being redirected into the deception environment where their presence and secrets are revealed.
What if I were a Stormtrooper?
In one of the classic scenes from A New Hope, Luke Skywalker and Han Solo have disguised themselves a Stormtroopers to infiltrate the detention center where Princess Leia is held captive. Disguised as Stormtroopers, they seamlessly blend in, while using Chewbacca as their captive for additional authenticity. During the scene, the Princess poked fun at Luke and called him out for being a little short for a Stormtrooper. Goes to show that mirror-match authenticity is required to deceive the more astute adversaries.
What if I were a Gremlin?
Who doesn’t love Gremlinsas an all-American comedy horror film? A Mogwai, which appears as a cute little pet, then spawns other creatures who transform into small, destructive, evil monsters. It may be a bit like how an attacker sees deception. Deception essentially spawns other “devices” on the network, making it virtually impossible for an attacker to tell real from fake until it is too late. The spawning, much like the Gremlins, can appear endless as an adversary seeks to avoid falling prey. Pushing the parallel a few steps more, deception can appear as an “evil monster” through the use of decoys and fake credentials or through decoy documents, or as it intercepts attacks on Active Directory, hiding real data and feeding back fake information. All of this can make attackers distrust the information they are gathering and the tools they rely on. With deceptive redirection, the security team is also now able to study the “Gremlins” behavior and figure out what their intentions and weaknesses are.
Gremlins came with a playbook that pointed out three important rules that must never be broken—do not expose the mogwai to bright lights or sunlight, which will kill it, do not let it come in contact with water, and most importantly of all, never feed it after midnight. In the world of deception, not letting it come into contact with water (production assets) can be achieved with decoys, not feeding it after midnight (the fuel to escalate their attack) is equivalent to preventing access to real credentials or AD by hiding them among fakes, and the most critical element required for stopping them, not exposing them to sunlight (the detection), can be found within the deception sandbox where a light is shined on the attacker, revealing their tools, techniques, and intent to stop the attack and fortify defenses.
There are so many fun characterizations of deception. I welcome you to share more and wish everyone a very happy and safe Halloween.