Written by: Carolyn Crandall, Chief Deception Officer – Over the past five years, the conversation around cyber deception has advanced from the question of what it is to what to use it for. Fundamentally, cyber deception has evolved into a highly regarded threat detection solution for companies of all sizes and security maturity levels. This blog outlines how the capabilities of deception technology have expanded, and the various roles it can play within the security stack. This particular blog outlines the steps a responder will take in preparing for and responding to an attack using cyber deception.
The core benefit of deception technology lies within its ability to confuse and redirect an adversary’s actions, causing them to make mistakes, reveal their presence, and change the economics of their attack. This is done by placing a variety of decoys, credential lures, and various forms of application, document, and other bait throughout the network. Advancements that have been made to simplify deployment and ongoing operations have resulted in additional functionalities for visibility and vulnerability assessment. Plus, the ability to gather live attack information facilitates the automated correlation of data and incident response actions.
The following describes five areas in which deception can play in reducing risk and improving an organization’s cyber defense posture.
Deception technology uses machine learning to discover the network and build deceptions that mirror-match the environment. This process allows the platform to see when new devices come into the network, providing visibility into unauthorized system adds and changes. Deception technology also maps existing stored or orphaned credentials to gain awareness of their misuse. It also provides insights into understanding lateral movement attack paths to reduce the attack surface by removing these exposures.
Additionally, recent innovations in Active Directory protection provide the ability to detect unauthorized queries on Active Directory (AD) and to return false data without touching the production environment. Attacks are then redirected into a decoy, causing the attacker difficulty in discerning real from fake or trust in their tools like Mimikatz, Bloodhound, PowerShell Empire, etc. In this case, even the mere act of observation alerts a defender to undesirable behavior. Compromising Active Directory is common and often a critical part of a successful attack. Derailing these efforts with misleading data can significantly reduce the risk of the attacker successfully breaching AD and can be a deterrent for adversaries based on the complexity that it adds to an attack.
Stopping an attack during and after execution:
Most detection tools activate when an attack is already well underway. Deception-based detection is different in that it is more proactive and designed to detect early, typically triggering when the attacker looks to move from the initially infected system. Deception is built for better detection against better attackers, with the intent to detect and disrupt attacks early, regardless of the attack vector. This includes the detection of activities for accessing credentials, exploration of lateral paths, Active Directory recon, the discovery of network assets, active mapped shares and ports, and man-in-the-middle attacks. A full deception fabric will include detection for user networks, cloud (AWS, Azure, Google, Oracle), datacenters, remote offices, network infrastructure (routers, switches, VOIP, print services), and specialized environments (IoT, medical IoT, ICS-SCADA, and POS). Management can be centralized on-premises or in the cloud. Detecting early and reducing dwell times can have tangible benefits in the speed of containment, restoring operations, and preventing damages of more significant consequences.
Removing and remediating an infection
With deception, defenders gain high-fidelity alerts that are substantiated by the environment’s attack analysis and forensics. The ability to gather real-time intelligence is a unique benefit of deception and is extremely valuable for gaining the upper hand against attackers. Native integrations and playbook automation go one step further to mitigate ongoing incidents and improve defenses for when attackers return. These capabilities facilitate information sharing with other security controls and automate incident response, including isolation, blocking, and threat hunting. Advanced deception platforms can also automatically remediate exposed credentials on the endpoint. In Red Teaming scenarios, we have seen the Blue Team detecting intrusions in under an hour with containment in under 30 minutes and full restoration of services in under 30 minutes. The in-depth attack data allowed the teams to detect and respond confidently without having to spend hours in triage.
Use of threat intelligence
Unlike other detection controls, deception goes beyond alerting and gathers adversary intelligence so that defenders can quickly understand an attack and prevent a similar recurrence. Planted decoy documents, fake credentials, and AD objects allow defenders to gather adversary intelligence related to attacker intent. This capability can be instrumental in understanding what type of information attackers are after and how they are gaining access. In addition to appending information from known threat intelligence databases, solutions with a built-in sandbox will also gather the full Tactics, Techniques, Procedures (TTPs), and Indicators of Compromise (IOCs) of an attack.
After the fact investigation
Whether it be for postmortem incident evaluation, Red team exercise, or insider threat substantiation, deception records all attack activity and provides irrefutable proof of unauthorized activity or policy violations. This in-depth information can be extremely useful in demonstrating security resiliency, ongoing security control functionality, and security controls related to insiders and suppliers.
Cybersecurity has traditionally centered on preventative defenses. This is no longer reliable as demonstrated by the number of breaches we continue to see each year, and by the average time that attacks are remaining undetected. A new, more proactive approach is needed. With cyber deception, organizations can proactively detect and derail threats early so that attackers cannot establish a foothold or complete their mission. The impact is measurable, with dwell times being reduced to an average of 5.5 days, as compared to non-deception users who reported an average of 61 days. Additionally, 91% of users cited their confidence in the efficacy of deception solutions, 98% finding value in the technology, and 71% stating it has exceeded their expectations.
Deception technology brings forward the ability to achieve no-nonsense detection, improved visibility, and faster incident response for organizations of all sizes. Additionally, it provides the unique ability to bring uncertainty in the mind of the attacker, as they will no longer be able to trust that they know real from fake and will make mistakes, be forced to spend more time, start over, or seek out an easier target. Collectively, the features of cyber deception are reducing risk and improving the overall efficiency of security operations. Ready to take a look?