Using Deception to Fix the Fight
Written by: Tony Cole, Attivo Networks CTO – I spoke with a CISO the other day that I’ve known for a long time about Deception Technology and asked him why he has yet to give it a try. His response? I don’t think deception is a good fit for an enterprise. My response was, “Huh? Why is that?” He said that he likes a well-structured environment and feels that today they have a good grip on what their assets are and what is of importance. He was concerned that adding something in like Deception would change all of that up with a more fluid environment and they would lose control. His response certainly surprised me. I asked him if he was under attack and he said, “Yes, every day.” I then asked if any of those attacks had been successful, and he said, “Yes, a number of them.” I followed up by inquiring if, during these attacks, the adversaries utilized deception as a tactic? He sat there for a second staring at his cup of coffee and within a few moments I saw a light switch on in his brain. He said, “Uh, yeah, every single time.” Suddenly he was a CISO interested in learning more about Deception and how the tables could be turned on attackers.
Today, most enterprises are in a defensive posture, trying to stop cyber-attackers twenty-four hours a day, seven days a week, three-hundred and sixty-five days a year. The attacker only needs one minute when no one is looking and where a single defensive gap exists to get their foot in the door. Let’s look at this through the lens of a sports analogy (this same CISO is a major boxing and UFC fan).
Imagine you are at your own home ring for a fight. The match starts, only it isn’t announced and your opponent slides quietly into your ring and hits you in the back of your head when you aren’t looking. Yes, he isn’t bound by any rules. You try to turn and attempt to block each punch. You don’t hit back because you’re not allowed to hit back. Oh, did I mention that you can’t move either since your feet are stuck to the floor? So, your job is to stay in one spot and try to block punches while your opponent moves around YOUR ring and hits you at their leisure. Think you can win that way? Punch/block. Punch/block. Punch/attempted block, you missed that one. Your head is now ringing and bingo we have a compromise.
A completely reactive and defensive posture with almost entirely preventative tools is doomed to fail and will suffer compromise sooner or later. In most cases, sooner, and frequently. We need to learn our lessons and implement the same tactics the adversaries use. Let’s look at our boxing match again.
You’re in your home ring practicing. An opponent seems to slip silently into the ring, or so he thinks. He hits you in the back of the head, repeatedly. What he doesn’t know is that it isn’t really you. It’s a decoy and in reality, you are standing behind him watching and studying all of his moves. You now have the ability to move around the ring, counter his punches and punch back. It is your ring after all, not his. All the while, capturing the data and utilizing it to update your repertoire to ensure his tactics will never work in your ring again.
Deception technology allows you to turn the tables on the cyber-attacker. Adversaries typically begin to use it against you as soon as they finish their reconnaissance and begin direct interaction with your company. Social Engineering is based on deception, spearphishing is based on deception, waterhole attacks are based on deception. Most attacks pretend to be something else and utilize deception to fool people into taking an action that compromises their system. Why isn’t everyone utilizing deception to counter these attacks? Let’s let the adversary guess what is real and what isn’t. Thankfully the trend has started to significantly change, as security professionals have begun to understand the benefits of a deceptive platform in countering the wily cyber-adversary. Deception technology provides the platform needed to easily execute an active defense strategy. By deploying deception-based technology as a detection mechanism throughout the network stack, companies achieve efficient detection for every threat vector and every phase of the attack. Utilizing high-interaction decoys and lures, deception deceives attackers into revealing themselves, their tactics, tools, and processes, and helps you close those now identified detection gaps on threats that have, in the past, evaded your security controls.
It’s time we take control of our own ring (enterprise) with an active defense strategy utilizing deception. Cyber-defenders are always under attack and end up taking a lot of beatings on a daily basis. It’s time we make a change. No more standing idly by while getting repeatedly punched in the face.