You’ve Been Deceived about Deception Technology

By Carolyn Crandall, Chief Deception Officer, Attivo Networks

It is easy to be misled about things that are unfamiliar. We see this happen regularly with fake news and manipulative communications that steer a person towards certain beliefs.  Cybersecurity is not immune from this, especially when it comes to deception technology. So, what is there to be deceived about with deception?

Fundamentally, using deception in cybersecurity isn’t really new. The technology has been around for over 20 years and carried some limelight during the active Honeynet days when it proved valuable in helping defenders understand who was attacking the network. Placing a honeypot at the perimeter of the network yielded useful information for research as attackers tried to breach it. The deception was an innovative idea then, but interest faded due to its complexity and the time needed to operate it.

In 2014, advancements in deception technology started surfacing. The concept of trapping and misdirecting attacks was still a core premise, however, there were many critical changes.  First, the deceptions were now designed for operation inside the network, with the value shifting towards setting landmines to derail attacks that had bypassed perimeter defenses. Two fundamental approaches emerged with this innovation, one based on network decoys, and the other based on placing “breadcrumbs” at the endpoint. Both have merit when applied against the cyber kill chain.

Once an attacker compromises the initial system, they want to move laterally to the next system by stealing credentials, accessing mapped drives, or conducting reconnaissance to understand how to get closer to their target. Deceptions placed on the endpoint entice an attacker to unknowingly take deceptive credentials or follow mapped drive shares into a deceptive engagement server. Decoys designed to match production assets confuse and misdirect attackers as they attempt to scan the network or detonate malware. Deploying both forms of deception provides the most comprehensive fabric to detect all forms of attacks. Value is also achieved by preventing lateral movement, creation of back doors, the establishment of C2C connections, obtaining credentials, cracking stored hashes, finding critical systems or data, and identifying Active Directory domain admin accounts, to name a few.

The change in strategic approach addressed a primary misconception related to deception providing value.  Deception technology is no longer limited to research; its primary function is now centered on providing detection early and throughout the attack lifecycle.

The second common misconception is that this technology is difficult to manage. With honeypots and honeynets, it could take a week or more to set up the deception environment. It was anything but the simple and required skilled staff and lots of maintenance time. Modern deception technology innovation includes machine-learning that automatically prepares, deploys, and manages deceptions. It has made operating deception technology extremely simple. The out-of-the-box operation can be achieved within an hour based on using a wide variety of included campaign templates. This is perfect for organizations with limited skill sets and time, or who are not the target of highly sophisticated attackers.  A defender protecting against nation-state attacks or extremely sophisticated threat actors will want to use advanced deceptions. This is done by placing the exact same software used in production onto the decoy so that it mirror-matches the real assets. Integration with Active Directory and DNS also provides verifications for authenticity. Customization may sound complicated, but deceptions can be projected in a way that does not require each decoy’s software to be maintained separately, and deceptions at the endpoint are deployed without the use of an agent. The greatest time is invested on the company deciding what deception strategy they wish to use.  For example, is this just for high-fidelity detection? Do they wish to collect adversary intelligence and forensics? Do they want to engage with the attacker to gain knowledge for pre-emptive defenses?

This leads to addressing the third common misconception that the value of deception is too limited or only applicable to large organizations. The majority of our customers are purchasing deception for the specific use case of post-compromise threat detection. They are choosing deception as their primary detection mechanism because it allows them to detect attacks early and provides them with high-fidelity alerts. With deception, they have achieved accurate detection for known and new sophisticated threats. Organizations are also using deception across all environments they are seeking to protect, including data centers, user networks, infrastructure, and environments like cloud, IoT, Medical IoT, and OT interconnected devices that require new approaches to security. Customer use of deception-based detection spans across visibility to malicious threat actor activity as well as policy violations and misconfigurations from insiders and suppliers that create risk.

Another little-known benefit that is also attracting customers to deception technology is the ability to gather adversary intelligence and forensics and to gain visibility into exposed attack paths. Most detection tools only detect an attack. This leaves defenders at a disadvantage as the attacker gains intelligence with every attempt while the defender typically does not. A high-interaction deception environment gathers TTPs, IOCs, attacker movement, and forensic information. This automated collection and collation of information arms the defender with insight that is typically lost and with details needed to confidently take action. Unlike other tools that generate false positives, these alerts are substantiated and save security teams countless hours in responding to threats. Additionally, given the quality of the alerts, automation can be turned on. This can be manually triggered in the UI or fully-automated to block, isolate, or threat hunt based on native integrations with prevention and threat orchestration tools.

Organizations of all sizes and staffing levels can take advantage of deception for accurate detection and faster incident response. This will be appealing to most; however, those with mature infrastructure and teams can also do more with the platform. Advanced features can include high-interaction application and data deceptions, decoy documents to gather counterintelligence on what an attacker is after, and opening up C2C ports to gather intelligence on items like polymorphic activity.

To sum it all up, the primary use case for deception is detection. Value is derived from accurately detecting known and sophisticated attacks across all critical attack surfaces and in the fidelity of the alert.  Complexity, as well as the belief that this is only for mature organizations, are misapplied to deception platforms. Cybercriminals do not want anyone to believe this is a good technology to adopt because it truly makes their jobs more difficult as they must now decipher real from fake, their attacks are slowed, and as a result, the economics for the attack becomes unattractive.

Still not sure about deception? Ask a Red Team that has had to navigate deception during their testing. It’s hard to say if they will be forthright in admitting being caught, but I am confident they will say it adds complexity and slows them down.  Ask a Blue team, and you will find some of the deception’s best advocates.

About the Author

Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to multibillion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed and Seagate. Carolyn is recognized as a global thought leader on technology trends and for building strategies that connect technology with customers to solve difficult information technology challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based security infrastructure to one of an adaptive security defense delivered through deception-based threat detection.

Carolyn is the chief deception officer at Attivo Networks, as well as an active speaker, writer, and blogger. She often speaks on security innovation at CISO forums, industry events and has been a guest on Fox News. Carolyn has been recognized for several thought leadership awards including Business Woman of Year: CEO Today, Hall of Femme Honoree: DMN, Reboot Leadership Honoree: CIO/C-Suite, Top 100 Power Women (CRN) and was profiled in 2019 in the San Jose Mercury News.

Carolyn can be reached online at [email protected] or @ctcrandall on twitter and at our company website http://www.mycompany.com/