Using deception to improve cyber resilience by turning the tables on attackers

Published: Thursday, 02 July 2020 07:36

Throughout history, deception has been a critical component of military activities. Now that most organizations are continuously targets of cyber attacks deception provides  a way to stay ahead of cyber attacks instead of feeling like we’re always one step behind. Carolyn Crandall explains further...

For years, the adage that the attacker ‘only has to get it right once and that the defender has to be right all of the time’ has placed organisations at a distinct disadvantage in preventing security breaches. 

While fundamentally still correct, cyber criminals have now become more sophisticated and their tools more advanced. They are no longer looking for simple and quick pay-outs. Instead, these skilled and determined threat actors are working quietly and methodically to conduct their attacks and finding ways to breach the network regardless of the protections that are in place. The reality is that there is no such thing as 100 percent secure, and there is not a ‘silver bullet’ security control that can stop everything quickly and reliably. As such, security teams need to look closely at their strategies for a layered defence / defense and make sure that they have comprehensive coverage and actionable alerting.

Layering technologies that do more of the same in how they provide coverage and detection will result in diminishing returns and potential security gaps. Infosec teams need to be open to new approaches to threat detection that will reduce risk and place organizations in a stronger position of control.

Endpoint detection and response (EDR) solutions provide one form of coverage. The solutions offer the ability to examine process flows and chains to determine if something looks unusual and work in addition to endpoint protection (EPP) solutions which, together, provide the ability to prevent, detect, investigate, and respond to malicious activities or file-based malware.

The use of deception technologies takes a layered defence one step further and closes the remaining gaps associated with detecting other attack methods and lateral movement activities. Collectively, these solutions will not only thwart attacks to keep the business running but also strengthen their overall security against even the most advanced threat actors.

Defence through deception

Any security strategy worth its salt should have a proactive list of contingencies for dealing with intruders and avoiding disruptions to business operations. It has become particularly important in recent times as criminals have sought to exploit organizations’ security weaknesses during the COVID-19 crisis. Deception has been a universal weapon in every cyber criminal’s arsenal, and they use it in a steadfast way to take the initiative and gain the first-mover advantage.

A prime example is the use of deceptive email attacks, with phishing accounting for a large number of reported security incidents. Simple but effective deceptive techniques such as spoofing a legitimate domain and impersonating a trusted contact or authority enable attackers to trick their targets into bypassing many of their company’s defences.

However, while deception has served as a preferred tactic for threat actors, it can also be a powerful defensive option for security teams tasked with preventing attacks and protecting any attempts at extortion or interruptions to their business’ operations. A well-crafted deceptive environment populated by false assets, bait, and sleight of hand misdirections serves to stop the attackers in their tracks. This ‘hall of mirrors’ efficiently lures adversaries into engaging with convincing but utterly worthless assets. These serve multiple purposes of protecting valuable systems and data by forcing the attackers down a blind alley, wasting their time and resources, accurately tipping off the defenders to their presence, and revealing the techniques of their attack, which the deceptive servers record during the engagement.

Using deception to create a multi-layered defence

Honeypot tactics, the most basic form of deception, have been used for decades for research and can be quite successful in deceiving attackers as they sniff out potential targets. They are, however, the digital equivalent of a cardboard cut-out façade that only looks convincing from a distance and will not stand up to any level of scrutiny.

A more advanced and effective approach is to populate the deceptive environment with a mix of endpoint deceptions and a detection fabric that universally covers the on-premises, cloud, and remote location networks.

Casting a deception net over an endpoint will prevent an attacker from easily moving off the system. The deceptive assets will promptly detect and derail criminals attempting to conduct lateral movement activities such as stealing credentials, discovering network assets, probing for open ports, querying Active Directory for critical objects, and escalating privileges.

Additionally, as part of the deception fabric, decoys that mirror production assets will serve not only as bait for automated scans but will stand up to inspection and even interaction by the human threat actor.  Using a deceptive environment in this way delivers multiple layers of defence simultaneously.

First and foremost, it serves as an effective way of detecting unusual network activity. Decoys trigger an alarm as soon as the attacker interacts with them, alerting the security team to a potential intruder.

A second advantage here is the opportunity to study the intruder and gain clues about the objective of the attack, as well as their tactics, techniques, and procedures (TTPs). This capability provides invaluable threat intelligence on how attackers are precisely attacking the company and help the security team to harden defences against further attempts using similar tactics. 

Finally, and perhaps most importantly, the deceptive environment provides a layer of active protection, deflecting the attacker from the company’s actual data and systems. This feature can drastically increase the security team’s chances of shutting down the attack before it has an opportunity to impact business operations.

The need for flexibility in uncertain times

The versatility of a deceptive defence has become particularly beneficial as organizations continue to grapple with the impact of the COVID-19 crisis. Criminals have been quick to take advantage of the pandemic, incorporating COVID-19 into their deceptive phishing tactics and targeting companies that have been left more exposed due to extended remote working practices.

Deceptive defence techniques can tailor to fit any number of different environments and situations, including countering attackers capitalising on COVID-19. For example, decoy VPN credentials can act as bait for attackers seeking to hijack, access, and exploit remote connections.

Deception technology can also beat attackers at their own game. With businesses facing an uphill struggle to keep their networks secure in these uncertain times, the flexibility of deceptive defences will better enable organizations to deal with a wide range of threats while keeping their operations running without interruption.

The author

Carolyn Crandall is Chief Deception Officer at Attivo Networks.