The objectives of deception are to derail the attack, confuse attackers, and motivate them to disengage or reconsider whether to attack at all when confronted by an opponent who seems more formidable than they first appear.
Such a strategy applies equally to the cybersecurity world. While some adversaries are highly-funded nation-state attackers, many threat actors are simply opportunists. They prefer to prey on targets they think are weak or are easy paths to a pay-out. This wide variety of attackers is increasingly driving organizations to turn to deception techniques. The aim is to confuse threat actors so they can no longer trust what they see or the information their attack tools feed to them. The idea is to increase the complexity associated with the attack such that attackers cannot easily advance their attack and leave empty-handed.
Deception technology essentially booby traps the network so that attackers can no longer tell real from fake and, in turn, end up making mistakes that reveal their presence. Advanced deception technologies can go as far as detecting based on the mere act of an attacker’s observation and feeding them false data that manipulate their future actions in favour of the defender.
Deceiving the deceivers
Most attempts to infiltrate an organisation’s network follow a predictable attack lifecycle. The Cyberattack Lifecycle provides a process flow for this, and the MITRE ATT&CK Framework does an excellent job separating this into 12 major steps of an attack. The first phase is initial reconnaissance, where the attacker gathers publicly available information on the target and formulates an attack strategy. The next step is the initial infection, where attackers compromise a system inside the network. Once inside, they move on to the next phase, establishing a foothold. This phase is where they install back doors, remote access tools, and other mechanisms to return to the infected system whenever they want. They then move to the persistence cycle, composed of the following stages – escalate privileges, internal reconnaissance, move laterally, and maintain a presence. They continue this cycle until they find the data or target they are seeking and complete their mission.
In an environment with deception, attackers gain a misleading picture from the start. When cybercriminals first enter an IT system, they steal higher-access credentials (escalate privileges). A favourite way for a threat actor to do this is by taking locally stored credentials and targeting Active Directory (AD). The AD represents the keys to the kingdom, containing all the credentials attackers need to give them the freedom of the network. With modern AD deception, organisations can hide real information and prevent attack activity targeting AD account information by non-disruptively altering what an attacker sees and providing options to create a false AD server environment.
None-the-wiser, attackers then start snooping around to try to get the lay of the land (internal reconnaissance). Their goal is to create a virtual map that shows where the assets – devices, servers, applications, files, and folders – are, as well as how they might access them. With deception, instead of gaining the information they need to advance (move laterally) and exploit systems to burrow deeper into the network (maintain a presence), they now encounter decoys, deceptive mapped drives, and various lures on endpoint devices, so they are directed away from actual high-value target assets and into a deception environment. At the same time, behind the scenes, the deception network notifies the security team that there is an infiltrator on the network, records their activities, and activates incident response.
In the final phase, attackers attempt to complete their mission by exfiltrating data. With decoy documents, the attacker is enticed to steal data that looks appealing, but in fact, holds zero value. Its sole purpose is to give security professionals insight into what information the threat actor is searching for, as well as how the data gets taken and to where attackers send it.
Make them distrust what they see and their tools
With a cyber deception platform containing a built-in sandbox, it is not uncommon for the threat actor to only realise that they have been led down a rabbit hole after they have spent considerable time and resources carrying out their data gathering and attempts to move around the network. Once aware they’ve stumbled into a trap, attackers face the dilemma of either starting again or simply giving up and moving on. The decision to resume the attack is not taken with more consideration as they now realize that what they see and the tools they rely on no longer provide reliable data. This uncertainty, combined with the time already lost, changes the economics of the attack and can serve as a deterrent from continuing forward. Similarly to seeing a burglar alarm on a house, the attacker now knows that defenders are more prepared, and that although they didn’t see a sign also announcing that there is an attack dog roaming, they now know there is at least one if not many more acts of defence lying in wait to stop them and take a bite into their attack.
To sum up, for organisations that want not only to defend against cyber criminals but also deter them from coming back, deception techniques are a win-win. They efficiently confuse and slow down attackers while reducing dwell times and further protect a company’s most valuable assets. Disillusionment and disappointment are not high on an adversary’s list, and although there is no such thing as a silver-bullet in security, deception can definitely wreak havoc on criminal opponents.
958 words