Obviously, You Can’t Be Obvious
Written by: Mike Parkin, Product Marketing Engineer – As deception technology has matured into a modern and effective security solution, vendors have pursued different techniques for creating decoys, lures, and the rest of the details that go into a deception platform. One of the challenges the industry faces is creating deceptive assets that fall into the ‘sweet spot’ that will lure an attacker in without being an obvious trap.
To be fully effective, the deception needs to cover the whole environment. A skilled attacker will be trying to leverage everything they can find. That means they will be looking for credentials and resources on the endpoints, as well as vulnerable systems and services they can find on the network. Since your adversary is looking everywhere, there should be deception everywhere to blur the attack surface and make their job more difficult.
However, there is more to good deception than just having deceptive assets throughout the environment. Those assets need to be inviting enough that an attacker will notice and engage with them, but not so inviting that they are an obvious plant. It’s a matter of authenticity. The more a decoy or deceptive asset looks like the real thing, the more likely an attacker is to take the bait.
For decoys, systems, and services, this authenticity comes from using “real” operating systems and services. To perfectly match the environment’s systems, the best deception solutions can accommodate custom “gold disk” images. Another advantage to these “real” systems is they enable a high level of interaction with the attacker. That interaction can be invaluable for gathering adversary intelligence the organization can leverage to improve the rest of their stack. Ideally, this authenticity extends into the deceptive credentials and other endpoint assets, which comes from basing them on the format, style, and naming conventions used in production.
Some competitors in the deception technology space rely on emulation or low interaction decoys to deceive attackers. While those solutions can be small and light, they also don’t provide a lot of authenticities and are relatively easy for an attacker to identify and avoid. After all, if they can see it’s not real, they know to keep their hands off it.
At the other end of the scale, one of the deception vendors includes “stand-out” decoys as a feature. The idea is that a highly visible system is going to attract more attention and is more likely to draw in an attacker. While this is good in theory and would be very inviting to an inexperienced opponent, the reality is that a system that is “obvious” is going to send up red flags for a skilled attacker. Again, if they suspect it’s a trap, they’re going to avoid it.
The bottom line is that the best deception is going to cover the entire environment with decoys and bait that looks real. They can’t be so lightweight, or ‘stand-out’ so much, that they’re an obvious trap. They need to fall in that sweet spot, where they’re ubiquitous and authentic, so an attacker can’t tell them from the real thing.