“Never attempt to win by force what can be won by deception,” said Machiavelli in The Prince.
Military leaders as far back as Sun Tsu recognized the value of deception, yet only recently have cyber security professionals experienced a similar awakening. Until very recently, IT and security teams focused primarily on perimeter defenses, creating theoretically impenetrable walls, defensive signatures and other strategies that hoped to prevent attackers from stealing data. However, teams today must assume it’s a matter of “when” and “how often” cyber attackers will breach their networks, not “if.” Verizon’s 2014 Data Breach Investigations Report, reports cyber-espionage has increased more than 300 percent just in the last year, with the U.S. the largest victim by far.
Innovative IT and security teams are increasingly taking cyber attackers’ most valuable tool, deception, and using it against them. They are deploying defense in depth strategies that render breaches more difficult, time consuming and cost prohibitive to execute.
However, for a deception and decoy solution to work, it must be based on authenticity. The two approaches most frequently adopted by organizations today are based on either emulation, or real operating systems and services.
In an emulation strategy, one or more virtual machines (VMs) emulate an organization’s network, services and operating systems based on that network’s architecture. The VMs deceive the malware into attacking the emulated environment versus the actual one. The benefits are obvious, but there are downsides.
First, any emulated service or device is by design, not active. It will not be able to engage with the attacker beyond initial detection. Without the ability to have additional engagement, response teams cannot gather the Techniques, Tactics and Procedures (TTP) of the attack and the forensics to conduct remediation on the infected systems. Emulated systems do not emulate the depth of tools that are used by administrators and used extensively by attackers for lateral movement. Additionally, since an emulated system can’t fully engage and complete the attack cycle it is easily identifiable by the attacker as this shortcoming is a “fingerprint,” which can clue in attackers. Emulated environments are also limited in configurations and despite the choice of popular services, the emulated environment will likely standout from real servers when it does not match the “golden image” or environment it is trying to emulate
Basing the deception strategy on real operating systems that are also running expected protocols or services, on the other hand, has all the advantages and none of the negatives of an emulation strategy. By running real operating systems and customizing services by only turning on applications that are used in an organizations environment, the deception server becomes an authentic decoy that can be virtually indistinguishable from an actual server. The ability for a company to load a “golden image” on the decoy or install custom applications will create an environment with the highest degree of deception.
A logical question to ask would be about the maintenance of these real operating systems and services. Attivo has resolved all these issues by building a self-sustaining deception solution that eliminates the need for any additional IT involvement.
Additional new features and support is provided as part of the software support maintenance contracts for the deception server. Updates to these devices should be non-disruptive and not require the attention of the organization unless they choose to change service configurations based on new functionality or changing needs.
Authenticity is not only about the decoy, but is also about the quality of the deception lures. A comprehensive deception platform will provide lures not only from the decoy but also from end-point devices. The deception lures on the endpoint should be customizable to mimic the organization infrastructure and integrated with the decoy system. The lures should be different on each endpoint and should be refreshed frequently to ensure they look genuine. Integration with SIEM and other prevention solutions will also provide an effective way for organizations to detect stolen credential attacks and the infected endpoints.
Ideally, the deception and decoy technology organizations deploy should achieve authenticity through a non-disruptive, scalable solution that is able to detect the presence of cyber attackers, identify their intent and rapidly provide the intelligence that enables IT and security teams to thwart the attack.