The Deception Value – Time is Money

The focus of our last article about the deception introduction has been on attack detection. There are two reasons for this. First, accurate and rapid attack detection is the deception benefit that is most urgently needed by most organizations. Second, rapid, accurate attack detection provides the foundation for understanding and realizing other deception benefits.

In non-deceptive environments, when an attacker is discovered on a network, they are removed as quickly as possible. Failure to remove an attacker increases the risk that the attacker will gain access to sensitive production assets. When deception is used, this paradigm changes. If an attacker is discovered in deceptive environments, and if they are interacting with deceptive resources, removing the attacker form the environment is not necessary. If the attacker is interacting with production assets, they can be redirected to deceptive resources. Thus, deception can be used to distract attackers, focusing their attention away from production assets and towards deceptive resources. This distraction delays the attackers advance with respect to interactions with sensitive production resources.

As discussed previously, even if the deception is discovered by the attacker, defenders gain an advantage. An attacker aware of the deception has three options; they can continue with their attack without modification, they can halt their attack in favor of an easier target, or they can slow their attack in an attempt to differentiate between deceptive and production resources. If they continue, they get caught. If they leave, the threat is gone. If they attempt to differentiate between deception and production, their attack will be significantly slowed.

Rapid, reliable, and accurate threat detection combined with the use of realistic deceptive resources provides an opportunity to collect threat intelligence. Collecting threat intelligence involves developing a better understanding of the tools, techniques, practices, tactics, and motivations of attackers. While there are many threat intelligence services to which organizations can subscribe, there will always be some “generalization” of the provided information. Threat intelligence received via a service may be specific to certain industries or geographic regions, but it will never be specific to a given organization.

Traditionally, organization-specific threat intelligence is collected as part of incident response and forensic investigations resulting from a compromise. This is obviously not optimal as it requires an organization to suffer a breach of production systems, and the resulting harm first. This is where cyber deception comes in to play. An attacker interacting with deceptive systems is not accessing production data and therefore is not causing direct harm to their target. This allows security professionals to collect organization-specific threat intelligence without suffering measurable harm. If the attacker were to “break contain” and attempt to interact with production resources, they can be easily removed from the network.

Knowledge that an environment is using deception could be enough to cause an attacker to look for an easier target elsewhere but there are other opportunities for deception to deter attacks. Deceptive systems can use system naming to create the impression of a stronger security posture than actually exists. Pushing deceptive information to publicly accessible sites (e.g., blog posts, newsgroups, etc.) can be discovered during attacker reconnaissance and can affect the attacker’s weaponization resulting in a failed attack. Even obvious deception such as making it appear that every IP address in a network is being used or making it appear that every port on a system is open can be disruptive to an attacker.

Cyber deception can also be used to facilitate threat hunting. Putting it simply, threat hunting can be described as incident response without prior indication that an incident has occurred. It is proactively looking for an attacker on your network. By combining the use of deceptive resources with traditional threat hunting tactics, the chances of detecting an attacker are increased. Even attackers that have been on a network for some time are continually looking to expand their access. By placing deceptive resources carefully, and in a controlled manner, it can create the perception of the deployment of new technology creating a new target for attackers.

Looking at this a different way, threat hunting involves actively looking for indicators of compromise. It requires significant and intentional work effort. Deploying deception in conjunction with threat hunting is more like threat trapping. I can place my traps and exert minimal effort after. I simply wait until the attacker interacts with any of my traps and then respond accordingly. Thus, deception allows for significantly greater detection capabilities with minimal additional effort.

The pinnacle of cyber deception benefits is active attacker engagement. There are a variety of ways in which we can look at how this works and why it is beneficial. First, we must recognize that there is a fundamental problem with our current (traditional) approach to security. With virtually no exceptions, defensive cyber security places technology in between attackers and sensitive assets. Put another way, we pit technology against humans. Humans are intelligent, creative, and adaptable. Technology is static in that it does only what it has been programmed to do. To evade or circumvent defensive technology, attackers need only discover with the defensive technology does not look for or does not do. By working in these technology gaps, firewalls, IDS, DLP, IPS, antivirus, application whitelisting and many other security controls can be bypassed. Unfortunately, there are few alternatives because using traditional security controls, attempting to inject a defensive human into the equation is difficult because we cannot quickly, reliably, and accurately detect threats. As discussed previously, cyber deception provides the necessary detection allowing defenders to actively engage the attacker. This active engagement does not mean “hacking back” but rather, it means manipulating the deception story, changing production security controls, and responding to incidents in real time, all based on the attacker’s activity.

Another way of looking at active attacker engagement is by taking lessons from the attackers themselves. Not many years ago, attackers would find and exploit vulnerabilities on public facing services. Then, organizations began to focus on patching and hardening of those public facing systems and combined with reasonable firewall rules, direct exploitation of public facing vulnerabilities became less common. To circumvent this problem, attackers began to look for vulnerabilities that were not public facing but that could also be exploited. The obvious target became “client side” software; the software used by users to interact with computing resources to include document readers, web browsers, packet sniffers, image viewers, etc. By identifying a vulnerability in this software, creating a file, set of packets, image, etc., that exploits the vulnerability, and then tricking a user into taking the actions necessary to execute the exploit, attackers found an entirely new attack vector. Attackers target the human and induce the human, via offensive deception, into exploiting the vulnerability. They use deception against us. We have, however, forgotten that attackers are humans too. They can be manipulated in many of the same ways they manipulate us. That is the essence of deception. By feeding the attacker specifically crafted false and, in many cases, selected true information, the attacker’s behavior can be influenced. By manipulating attacker behavior, defenders can achieve security goals that have never been possible before.

Lastly, active attacker engagement can allow attacks to be stopped before they truly begin. Most sophisticated attacker attempt to learn as much as they can about the target prior to any direct attack. This process of reconnaissance has previously been viewed and outside the purview of defenders and it occurs outside of defender visibility. Deception changes that paradigm. By intentionally planting information on public forums (e.g., web sites, newsgroups, discussion boards, social networks, etc.) defenders can influence the attacker’s understanding of their target environment. Defenders can create the impression of a highly security environment to deter an attack, they could create the impression of vulnerabilities that do not actually exist to disrupt the attacker’s weaponization, or they could set the attacker’s expectations increasing the believability of the deception.

Whether allowing defenders to use real people to defend against other people, by defensively targeting the attacker as a human, or by conducting anti-reconnaissance, cyber deception used for active attacker engagement allows defenders to truly take back the advantage from attackers.