Written by: Mike Parkin – Technical Marketing Engineer – In a previous blog post, I covered what I call the ‘sweet spot’ for deception, which describes the characteristics and quality deceptive assets need to have to look like the real thing if they’re going to be effective against a skilled attacker. That brings us to the idea of “keeping it real,” which sounds like a contradiction when the subject is deception. It’s not though. The core of effective deception is creating assets that an attacker can’t tell from the real thing. They look real. They act real. To an attacker, they are real.
When deceptive assets are deployed, they should appear as real as possible, and Attivo’s ThreatDefend® platform achieves that using machine learning to analyze the environment it’s deployed in. A wide variety of deception campaigns are designed to match the environment closely, but to make it even more authentic, users can further adjust things using customization features, or even gold disk images. With perfectly matched deception, an attacker won’t know whether the system they’re on is live or a decoy, or whether the credentials they’ve stolen are authentic or fake until it’s far too late.
In order to stay authentic, deceptive assets can’t remain static. While they look real when they are deployed, they need to stay real-looking or they are as obvious as a ‘stand-out’ decoy. If an attacker sees that a stolen credential hasn’t been used in five weeks, or systems look out of date, they’ll be suspicious. If an experienced attacker believes there’s deception in the environment, they’ll steer clear of anything that looks out of place. That means keeping it real if you expect the deception to remain effective.
For the ThreatDefend platform, we keep things real by using machine learning to regularly update the deceptive assets. The platform is continuously listening to the environment to see how it changes over time. As the environment changes, the decoys change to match, so they always look authentic. An attacker who’s doing reconnaissance on the network won’t see anything unusual. The decoys are changing at pace with the rest of the network, so they don’t stand out as anything unusual.
Keeping it real on the endpoints means keeping the deception credentials and other assets up to date as well. Attivo handles endpoint deception using the ThreatStrike™ solution from the ThreatDefend platform, which places deceptive credentials and other lures and breadcrumbs on the endpoints. The ThreatStrike system runs as an agentless service that keeps the local deception up to date, all without requiring local software or the need for patching. When an attacker looks at local assets or scrapes credentials from the endpoint, what they see is up to date. None of the breadcrumbs or deception credentials will be stale or look out of place, so they don’t throw up any red flags to the attacker.
Saying “keep it real” in the context of deception isn’t the oxymoron it initially appears. In fact, the ability to keep deceptive assets fresh and authentic is one of the things that sets the Attivo Networks ThreatDefend platform apart and makes it so effective. Ultimately, to keep deception ef