How deception changes the rules of engagement in cyber security
Carolyn Crandall, Chief Deception Officer at Attivo Networks, explores how deception techniques can provide not only early detection of malicious activity but also an invaluable insight into an attacker’s methods.
Throughout history, deception has been one of the classic strategies underpinning offensive and defensive tactics in military warfare. Camouflage, concealment, and fake information, such as false propaganda or physical decoys, have been used to mislead, confuse, and slow down enemy forces to gain a strategic advantage. It’s one of the classic philosophies from Sun Tzu’s The Art of War: “Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots.”
Strategies derived from kinetic warfare are now being successfully applied by cyber security teams to outwit and out-manoeuvre attackers. Applying deception techniques to misdirect and ultimately derail cyber attackers is now not only changing the rules of engagement between cyber attackers and cyber defenders, but also providing a rich source of intelligence on the intruder’s targets, methods, and motivation. This can, in turn, help organisations strengthen their defences and mitigate the risk of the attacker returning. Now that most organisations are continuously under attack from human and automated attackers, deception provides a way for organisations to mislead and confuse their adversary, and stay ahead of cyber incidents, instead of feeling like they’re always one step behind.
Changing the asymmetry of an attack
In the cat and mouse game between IT security teams and cyber attackers, it is the attackers who typically had the upper hand. Once they have bypassed perimeter defences to breach a network, they can lie in wait undetected for weeks, months, or even years to conduct reconnaissance and gain valuable insights on how to bypass defences and gain access to the targets they are seeking. Organisations can, and should, take all measures appropriate to prevent an attack but, given their scale, sophistication, and determination, it’s virtually impossible to defeat all the attackers, all the time. The attackers have the advantage of deciding when, where, and whom to target, and have the luxury of making multiple mistakes while still achieving their goals.
Creating an active defence against the adversary is no longer reserved only for the organisations that have the in-depth resources or have mature and sophisticated information security programs.
Deception technology re-writes the playbook and uses the most beloved game of deception against the deceivers themselves.
It gives the defenders something that they have never previously had: a real strategic advantage and the ability to change the symmetry against their adversary. In this way, it’s also changing the way that security teams engage with, respond to, and force attackers to reveal their modus operandi.
Cyber deception works through decoys that appear to be real production assets and are attractive to an adversary. This is coupled with deception baits or lures that appear to be real and attractive to the cybercriminal – such as data, applications or credentials – which will then redirect them into the deception environment. Believability and coverage are fundamentals to deception, and the more authentic systems are designed to appear identical to the production environment, running on the same operating systems and services. Deception ultimately makes it so the attacker cannot tell what is real and what is fake and through either the element of surprise or enticement, are able to trick the threat actor into revealing their presence…