After introducing the issues on why cyber detection is so important and how you can use deception for great value – today we’re looking into implementing deception as a further link in your cyber security chain and recap again why you should not ignore the vast amount of added security it offers for your organization.
Given the breadth of benefits that can be realized using cyber deception, implementing a deception strategy can seem challenging. Fortunately, it can be simplified by taking a structured approach.
The first step in the process is to identify and prioritize deception goals. Some organizations may have only one initial deception goal, such as faster detection and response. Other organizations may have multiple goals of differing priorities. An organization that has very effective detection capabilities may be primarily interested in the collection of threat intelligence with a secondary interest in supplementing their existing detective controls. As long as your deception goals, and the prioritization thereof, are in line with your organization’s security posture and business or mission objectives, it does not matter what goals are selected or their prioritization. What matters is that a goal or goals have been identified.
Once you have identified your goal, the next step is to identify what the attacker needs to do in order for you to achieve the stated goal. If my goal is to quickly and accurately detect attackers, I would need attackers to interact, in any capacity, with my deceptive resources. If my goal is the collection of threat intelligence, I need the attacker to display their tools, tactics, techniques, practices, and/or goals. At its core, deception is not focused on trying to get the adversary to think something, but rather, trying to get the adversary to do something. The second step in the deception planning process focuses on what we want the attacker to do.
Next, deception planners need to decide what information needs to be conveyed to the attacker to achieve the desired action. Attackers make decisions about if and how their attack will progress based on information they receive acting against and interacting with our computing environment. This information could come as a result of conducting reconnaissance, scanning, sniffing network packets, and interrogating already compromised systems. Deception planners must develop enough of an understanding of attacker techniques, tools, and goals to understand how these decisions are made and what attacker decisions are based on. This allows deception planners to understand what information needs to be provided to the attacker to influence them to take desired actions. It should be noted that the key word is “influence”. Deception is an “influence operation” rather than a “control operation”. Deception planners must always remember that presented with the same information, two attackers can make drastically different decisions.
While this deception planning process may sound intimidating, in most cases, it is relatively easy, particularly when purchasing a commercial deception technology. It is still important to fully understand your deception goals as, by understanding your goals, you can identify the deception technology solution that aligns with those goals most closely. After that, commercial deception technology vendors have thoroughly researched what information they need to present to the attacker, and how that information can be conveyed. Thus, after selecting the most appropriate vendor, initial implementation of cyber deception becomes only a matter of learning to deploy and then use the technology.
Come back next time for our insight on the main bullet points on why cyber deception is one of the most powerful assets to IT security.