Hey Cyberattackers… We know you’re in… We are watching you!
The Advantages of Studying an Adversary Inside your Network
By Geoff Hancock
It’s the best advantage ever. Its sounds crazy, setting up your network and letting the bad guys advance their attack? For what purpose? What if they overwhelm your systems and then disappear? Why would anyone in their right mind let an attacker continue their attack?
What if this wasn’t such a a gutsy move, and you could do this, so the stakes are not high, and when done well…the information collected becomes invaluable to securing your company.
When employing a deception program, it is informative to let the attack, (attempted attack because you are watching it happen), rather than shutting it down right away. You monitor and record the details of what takes place. Your team gains a greater understanding of how attackers operate, the way the attack highlights software vulnerabilities, and how your network can be compromised.
Deception is the future of cyber operations, managing the fight, leading the fight and exhausting your enemy…and winning.
Who is deceiving who?
From phishing attacks to CEO fraud, to Nigerian bank transfer scams, attackers have always practiced creative deception techniques, because they work. And that’s why defenders are always behind. Waiting to be attacked and “ready to respond”. This gets old and discouraging. Don’t you want to get out in front of and ahead of the bad guys, thinking 5 steps ahead? Cyber deception gives you that advantage…using deception against the adversary. Is cyber deception part of your tool kit? It should be.
Five understated values of cyber deception
1. Learn about your business
To put together a successful cyber deception program, you must learn how your business works. This includes understanding all elements of business operations, how data flows, how data is used, and what is created or curated. For a technology executive to be successful, you must understand and identify how your business works.
Once your adversary gets into your network, they don’t attack right away. They do reconnaissance, they analyze, they learn as much as they can about what is most important to them and your company. Once that is clear, they devise a way to steal, lockdown, or otherwise attack your company.
2. Threat model
What are the top five ways your company is at risk for a cyberattack? Threat modeling provides a clear view of how the enemy assesses your organization. When done correctly, it helps companies realize not only the tactical means by which they can be compromised, but also corporately and strategically, how the business is unknowingly creating opportunities of high risk and high value for their adversary. Understanding your most critical data and the enemy’s path to getting it, is priceless.
Many organizations underestimate their value as a target, not realizing that attackers could hit them for many reasons, not just the data they hold. Attackers may attack an organization as an intermediate step toward another target they have a business relationship with. No matter how large or small, an organization can become a target.
3. Owning your infrastructure
OK, so you bought it, created it, or are borrowing it. Your infrastructure. The network, desktops laptops, servers, switches, routers…all the technology that supports your business and customer success.
But do you really own it?
Once the adversary is inside the network, they find leverage; they find ways to increase access, they find ways to “own” your infrastructure or some part of it.
Using a defense-in-depth strategy is paramount when implementing a deception program. A deception program is much more than a simple honeypot or honeynet. It’s more complete, more believable (to the bad guy), and gives the defender better control of any potential attack.
4. Learn, lead, eliminate
When done well, a deception program helps you:
- Learn what is most important to your business. From how data flows around your network, to what data is most vital to your organization. And how your organization would be attacked (most likely to least likely).
- Lead—When an attack happens (it’s important to have the mindset that it will), you are the one in control. Instead of chasing down false positives, misdirection’s and various signals (think shiny new coin syndrome), you are the one guiding, directing, and leading the adversary down a path. This path forces him to waste time and resources. It reveals his methods and tactics that you can use, either immediately and/or for future reference to strengthen your cyber intelligence program.
- Eliminate—When you have gleaned all data about your attacker, you have exhausted some, if not all his resources, and you have created a solid behavioral profile…you crush him. Choke him out of your system. Once this is done, make sure the other ways he can get back into your network are just as protected and monitored with your new deception program.
The element of Learning, Leading and Eliminating in your deception program is of tremendous value. The data gleaned can be turned into intelligence that can help your team mature in their skills. Plus, sharing this data with your industry can be of exponential value.
5. Get out of the defensive mindset; become PROACTIVE
Firewalls, IDS/IPS, endpoint management, etc. are all great elements of defense-only cyber programs. Cyber deception is not a defense-only program. Cyber deception is a proactive program that companies enlist when they are tired of spending money on products and using the same process they have been using for years with very little proof of making a difference.
It helps defenders think about the organization the way bad actors do. What they leverage and how they can take advantage of your organization.
For your organization cyber deception reveals incredibly valuable information. It helps identify technical gaps, process and procedural gaps, and areas where IT investments could be reduced, eliminated, redirected or reinvested, where it could be of the most value to protecting the company, streamlining the business and managing corporate risk.
Looking at many recent breaches, if the team had done the due diligence and invested in a deception program, they might have been able to stop, eliminate and reduce the impact of the attack.
As the use of cyber deception grows, businesses will find that such programs are not simply a technical issue that may impart some limited value. Organizations will realize cyber deception directly impacts their security, whether they are public, private or nonprofit organization. Having a cyber deception program is a wise, proactive and cost reductive strategy, and vital for every organization in today’s world.
For more information on how to build and implement a Cyber Deception Program see my White paper.
In battles, deceiving the enemy has been a vital tool for thousands of years…are you deceiving your enemy?
Geoff Hancock has been in cybersecurity for 27 years. He has worked in military, intelligence community, civilian agencies and corporations, conducing cyber operations, Active Cyber Defense, Deception and Intelligence. He has been a CISO, CTO and VP and currently is the CEO of Advanced Cybersecurity Group, where he heads up a team of cyber deception and intelligence analyst providing instruction and program operations.