The goal of cyber deception is to more effectively detect attacks that have infiltrated an organization’s network, to confuse and misdirect the attacker, and to understand what assets have been compromised. Remember, deception defenses can leverage the attackers’ knowledge gap while they try to move laterally within the network. This blog looks at the 5 key components of an active cyber deception defense:
When setting up a security plan, the first thing you need to do is understand what it is exactly that you want to protect. In the discovery phase, the Deception system needs to learn the layout of the network, to discover network activities and profile every asset and device. Assets should be mapped according to their location, use, type, protocol, and more. Having a traffic analysis engine to map the network and assets as part of the Deception solution is important because the process of network discovery is ongoing – periodic scans are just that… periodic. With that continuous network visibility, the Deception solution is always aware of changes in the network and can adapt the deception layer accordingly.
- Setting up Decoys and Breadcrumbs:
In order for deception to be effective, its components – decoys and breadcrumbs – need to resemble the real assets in the network. This is achieved by applying the information that was gathered in the “discovery” phase. Decoys, for all intents and purposes, should appear to be no different than any other asset. When built in the right way, the decoys will appear to have the same operating systems, the same applications running on the same ports, the same protocols, and even similar data in some cases – all depending on the level of interactivity the decoy is given. If the decoys are the false assets, then the breadcrumbs are the lures directing the attackers to access the decoys. Breadcrumbs are diverse as they can be files, documents, email messages, and system resources, or basically anything on a system or on the network that would attract an attacker.
Accurate placement of deception components is just as critical to the success of a deception defense as building decoys and breadcrumbs. Within each subnet, you want to deploy deception that fits the respective resources. The deception components have to be strategically placed in accordance with the information gathered in the discovery phase. This contributes to the believability of the deception layer and ensures that the decoys and breadcrumbs will be “consumed” by the attackers. Distribution should be fully automated to ensure both accuracy and scalability.
Intelligent deception puts power back in the hands of cyber defenders by accurately detecting human and automated attacks, as well as unauthorized access to network assets. Every access or attempted access to a decoy triggers an alert and points the security team to the infected asset. The deception product should supply defenders with a full forensics report about the machine(s) that attempted to access the decoy along with the full story of the attack – including the attacker’s internal “voyage”, as well as attempts to communicate with command-and-control servers to exfiltrate data, and more. This is possible when the deception capability is integrated with a network traffic analysis engine, and can be expanded upon when integrated with endpoint detection and response products as well.
- Actively Adapting:
Organizational networks are dynamic in nature. Therefore, the deception layer, which mirrors network assets, also must be dynamic. Once a change is detected, the deception layer must actively and automatically adapt - by adding, updating or reallocating decoys and breadcrumbs. This process repeats itself over and over throughout the entire solution lifecycle.
Forensic analyses of attacks that have succeeded show that the critical time between infections, the first moments of attack, and detection is far too great — often measured in months. By the time an organization learns it is under attack, not to mention when they finally analyze the breach and assess the risk, the attacker has likely already made off with valuable assets. Intelligent deception can significantly reduce dwell time by detecting attacker activity inside an organization’s network and producing high-fidelity alerts that defenders can take action against with confidence. And it should be part of a broader security platform that integrates network traffic analysis and endpoint detection and response capabilities to allow immediate mitigation on the endpoint as well as on the network and ultimately provide a complete picture of an attacker’s activity.