The ins and outs of deception for cyber security

The ins and outs of deception for cyber security

Today’s deception technologies abandon reliance on known attack patterns and monitoring and use advanced luring techniques and engagement servers

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

It is no longer debated that a prevention only security strategy is enough. Security teams must go on the offense and create an environment that provides continuous real-time detection against an ever-changing landscape of cyber threats, and deception tools can play a critical role.

Deception as a strategy has been used for years in war and, notably, by cyber attackers. However, using deception to address threats that have bypassed traditional prevention security measures is an emerging and additional line of defense.  Today’s deception-based technology abandons the reliance on known attack patterns and monitoring, and instead uses advanced luring techniques and engagement servers to entice an attacker away from valuable company servers.

According to the Ponemon Institute it takes 46 days, on average, before an attack by hackers can be fully resolved. Deception, on the other hand, detects hackers throughout the phases of the kill chain cycle, preventing them from completing their mission.

To understand deception and decoy technologies, it’s important to understand the terms security teams, security solution providers, industry analysts, editors and others use, and sometimes misuse.  Key terms include:

Kill Chain Cycle – Is a definition of the steps taken within a cyber attack and includes: 1. Reconnaissance 2. Initial compromise 3. Establish foothold 4. Escalate privileges 5. Internal reconnaissance 6. Move laterally 7. Maintain Presence 8. Continue to escalate privileges until the attacker completes their mission.

Honeypot – A honeypot is a server, computer or network that appears to be an integral part of an organization’s network or network of networks, but is in reality bait for hackers.  The IT or security team installs honeypot software on these devices and connects them to the network.  Hackers will scan the network for weaknesses and attempt to break in. When they break in, they won’t find anything, and will then attempt to run their malware.  Because the malware has no impact, the hacker will attempt to install additional malware or simply move on.

Honeynet – A honeynet is simply two or more honeypots on a network.  IT and security teams deploy honeynets to protect larger networks or networks containing diverse types of information. Honeypots and honeynets were among the first deception-based technologies used by IT and security teams. These solutions are generally based on emulating an environment and without regular updates, may be recognized and detected by an attacker over time. Lack of a central management UI adds to the operational cost and complexity of managing these solutions.

Deception Engagement Servers – Deception techniques are similar to a honeynet in their use of engagement servers to lure an attacker into their trap. However with deception, advanced use of endpoint and distributed engagement servers are used to actively attract an attacker.  In addition to real-time detection, advanced solutions will provide the ability to communicate with a command and control center along with the forensics required to update prevention systems and shut down attacks. Advancements in technology have also made deception solutions non-disruptive to deploy and non-resource intensive to manage. A comprehensive deception platform will be scalable and take a deception everywhere approach, supporting user networks and data centers across private, public and hybrid cloud environments. Some may refer to a deception engagement server as a honeynet on steroids.

Deception credentials – These are the lures placed on endpoint devices that work dynamically with deception engagement servers to actively draw attackers away from the enterprise’s servers and get them instead to engage with the deception engagement server.  

Engagement or Deception Servers - Deception providers use high interaction engagement servers that will lure, trap, and analyze an attack.   Engagement or deception servers run real or emulated OS and services, support virtualization, and can be customization for layer 2-7 deceptions.  They can be located in a private datacenter as well as private, hybrid and public clouds.  In addition, they have a self-healing environment which, after containing and analyzing an infection, can safely destroy the infected VM and rebuild itself for the next attack.  Mature platforms will also have the ability to engage with C&C servers so that additional data about the attacker’s methods and intent can be understood.

Emulation – Emulation uses best efforts to copy an environment to deceive an attacker into engaging. Since emulation is a thin copy, it can’t match exact OS and services they are running.  Given their static nature they can be easier for an attacker to detect. 

Real Operating Systems – Real operating systems and services provide significantly better authenticity over emulation solutions because they use active licensed software that is loaded on the engagement server. These solutions can be customized by turning on or off operating systems and services to match a company’s environment. Solutions that allow the loading of a company “golden image” provide an environment that is virtually indistinguishable from company servers. Maintenance of these operating systems and services is provided by the deception manufacturer under a standard support agreement. There should not be additional costs or resources required to maintain this software. 

Friction-less (Non-disruptive deployment and management) – Deception solutions should integrate seamlessly with existing security infrastructure and should play an active role in an organization’s continuous defense strategy by enabling real-time threat detection. By design, they should not require any signature or database look up, require network topology or traffic changes or require heavy computation to detect an attack. 

Threat intelligence – When a BOT or APT is engaged, the solution should run full forensics to capture methods and intent of the hacker.  It should include a threat intelligence dashboard and a full range of indicators of compromise (IOC) reports to enable prevention systems to shut down current attacks and prevent future ones.

False positives – Many monitoring systems will trigger an alert based on what may be BOT or APT activity. These solutions tend to generate a high volume of alerts that often are not an attack and are false positives. Deception solutions will not deliver a false positive since they only deliver an alert based on actual engagement with their platform. Advanced systems will provide the option to set alerts at low, medium or high for additional customization.

The shift to continuous detection

New deception technologies bring a heightened level of aggressiveness in addressing cyber attacks.  Dynamic deception steps in when prevention systems fail and provides organizations with an efficient way to continuously detect intrusions with high interaction traps, engagement servers, and luring techniques to engage attackers--all without requiring additional IT staff to manage the solution

Statistics pointing to the increasing number of threats and the growing sophistication of these threats are in the news every day.  Symantec noted in an April 2015 Internet Security Report that attacks on large companies are up 40% over last year and Dave DeWalt, FireEye’s CEO, stated recently on 60 Minutes, “Literally, 97% of all companies have been breached.” 

According to a recent Ponemon Institute report, the average cost of a breach has risen to $15 million.  With that in mind, corporate management has a responsibility to customers, shareholders, employees and partners to do everything they can to protect critical data and IP assets. 

Dynamic deception solutions are a new, powerful weapon in the IT and security team’s arsenal for protecting an organization’s most critical assets.  Prevention systems have demonstrated that they have gaps and will continue to be unreliable given a perimeterless network, the sophistication of modern day cyber attacks, adoption of new technologies and human errors.

Deception can play a critical role as the next line of defense for detecting intrusions that have made their way inside the network before an attack can be completed and damages done. Breaches can be a costly and time-consuming challenge to deal with. It’s time to turn the tables and use deception to outsmart the hackers and to protect your company’s assets and brand.

Crandall has over 25 years of experience in high tech marketing and sales management. At Attivo Networks she is the Chief Marketing Officer responsible for marketing strategy, building company awareness, and creating customer demand through education programs and technology partnerships. 

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

More about AdvancedAPTEscalateFireEyeIOCSymantec

Show Comments

Market Place