Written by: Tony Cole, Attivo Networks CTO
There are a lot of questions around why deception technology is applicable to cyber defense. There are many insightful answers to this question. The most pertinent one is that it allows you to shrink adversary dwell time inside your environment. Let’s talk about deception for a moment before digging into how it can reduce attackers’ dwell time.
It’s likely that everyone reading this blog knows what deception is, however, what you may not be aware of is its history in relation to conflict. Deception has been used for millennia to win major battles. There was the mythical Trojan gift horse packed full of soldiers, who took over the city in the middle of the night after everyone was asleep. Alexander the Great used deception to beat Porus in a battle by tricking him into thinking he was not crossing a river when in reality, he did cross the river. Ghengis Khan used deception to trick his enemies into thinking he was retreating – surprise, he wasn’t, it was a trap. There are many other historical cases where deception was utilized to secure a victory in battle. Deception is popular today in most sports as well. Teams build an offensive strategy to fool the other team into setting up the wrong defense where they can get around them and score.
Today large enterprises are connected to the Internet from locations around the globe. CISOs mostly agree that they are frequently under attack, and expect that sooner or later they will suffer from a successful breach. These battles, though, are taking place in your enterprise, which is your home turf. Deception allows you to utilize that home-field advantage to slow, disrupt, deter, and most importantly, quickly identify the attacker inside your enterprise.
Deception provides capabilities to add a comprehensive and dynamic detection control that can easily scale across your entire enterprise. You can monitor the adversary as you move network pieces around, refresh deceptive content, and engage the attacker inside a decoy system. Deception can be implemented across endpoints and the network layer whether it’s inside your enterprise or within a cloud environment. A well-structured deceptive layer can be easily deployed across the enterprise using machine-learning, and can incorporate your own gold images or default images dependent on the level of authenticity and interaction you wish to have with an adversary. Breadcrumbs can be laid across the enterprise along with deceptive credentials that lead back to the decoy systems. Deceptive documents can be placed in important assets that provide high-fidelity alerts if opened. Since the deceptive environment isn’t designed to interact with your users conducting authorized routines, your security teams knows that if it alarms, it is indicating a real threat and they will need to react to counter the adversary now inside your enterprise.
Dwell time is a major issue today, and according to recent research it still stands at over one-hundred days in the United states and can be considerably longer in other countries. Clearly, adversaries are afforded way too much time to move around inside your enterprise once they’ve breached it. One of the major advantages that deception provides is that it enables the security defender to utilize their home-field advantage by quickly identifying infections or policy violations and thus shrinking the dwell-time.
Organizations should leverage the home turf advantage and use their knowledge to take advantage of it and to apply offensive countermeasures to stay one step ahead of the attacker.
This ‘Why Deception’ blog is the first of five blogs. Next we’ll dive deeper and discuss ‘Why comprehensive deception is critical and how credential only deception can be avoided by sophisticated attackers’.