Uncertainty as a Goal of Deception in Cyber Security
Posted by Dr. Edward G. Amoroso, Former SVP and CSO of AT&T; Current CEO of TAG Cyber, LLC. (September 8, 2016 – Hoboken, NJ)
Imagine this: You are an evil cyber intruder, part of a criminal group targeting enterprise businesses for customer medical and financial records. Your goal is to quietly steal without getting caught. During surveillance, you notice that your victim’s system administrators have made bad decisions, leaving unnecessary ports open, and advertising to the Internet many unnecessary services – some apparently by default. You exploit these weaknesses to initiate a northbound break-in. This is followed by simple lateral traversal inside the firewall, also exploiting bad administrative decisions such as weak access settings on SharePoint sites. And finally, after you’ve found the sensitive files you wanted, you easily exfiltrate the data through wide-open outbound Internet access. The offense wins this battle.
Now imagine this: You are the same evil cyber intruder, and you’ve learned that the cyber security community has begun to use stealth deceptive practices in their systems and security administration. You do surveillance at a potential victim’s site, and you notice what appear to be many bad decisions in visible infrastructure, including ports left open and services made available. But you scratch your head and wonder: Is this real or is this a trap? Still uncertain, you begin to tiptoe around, checking for any security mechanism in place to identify you through capture and forensics. But you find nothing. You are ready to break-in, but the uncertainty is now a real issue. That is, if you attach to some advertised service, will you be playing into the cyber defender’s trap? You do not want to get caught, so you do not proceed. Or you are confident and proceed. Unbeknown to you, you have just engaged with a deception decoy and for the next two hours you invest time thinking that you are advancing your attack. The security administration is well aware of your presence and records your actions while hardening their prevention systems. The attack has not only failed, but has also succeeded in draining the attacker’s time and resources. The defense wins this battle.
* * *
In my new report, the 2017 TAG Cyber Security Annual, released today for download across the Internet, the technique known as deception is highlighted as an important tool in the cyber defender’s kit. And while commercial deception products do require some expertise on the part of the system and security administrative team, companies such as Attivo Networks have made their products simple to install and operate via slick user interfaces, comprehensive reporting capabilities, and efficient automation. In the midst of such advances, one can only conclude that enterprise cyber security teams must begin accelerating the use of deception in their infrastructure.