Deception has been used for centuries to divert attacker attention and protect vital assets. In the Art of War, Sun Tzu said: “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
The use of deception in modern cyber security as a viable means of active, intelligent defense is a new topic that is emerging. Like any new topic it comes with misconceptions and myths until widely known. It is interesting that cybercrime continues to phish, bait, deceive, and lure users into attacks while our cyber defenses are primarily based on detecting bad things within an ocean of good activity. Given we know what attackers desire, why are we not invoking an active defense to lure, detect, and defend?
By comparison, deception defenses are in use today to protect sea turtles with GPS enabled decoy eggs (as covered by this PBS special report). This fourth blog in the series seeks to address the current myths and educate readers on deception defenses to advance their use.
(Photo: Paso Pacifico)
Honeypots are not that interesting – this perception addresses the issue of early honeypot deception defenses counting on being found statically, which may be lower than desired. Modern deception defenses use breadcrumbs as lures to decoys to make deception deterministic and more effective as reviewed in the second blog of this series. Knowing attackers desire access credentials and information to learn and expand within an environment, these elements make perfect lures or bait leading to decoys or honeypots.
We want to avoid irritating attackers – this perception hits on the issue of detection versus containment for deception defenses and should also include humans versus malware reviewed in the third blog. Many attacks are often machine automated analyzing structured data in over 200 applications, plus web browsers, and application uninstall files where no human exists to irritate. For human attackers, we know they prefer unstructured data such as files and email to locate credentials that easily lead to decoys for detection. Modern deception defenses can lure and engage attackers without containing or provoking them.
Emulation versus the use of real operating systems for deception – engaging human attackers with decoy services is critical to consuming their time and diverting attacks from real assets, resources, and data. Capture the flag exercises have shown emulation of decoy services is very effective, often engaging attackers for hours in high interaction. Honeypots with real operating systems are as realistic as you can provide for a decoy. However, you also must monitor and keep the attacker within the real OS and this may require security resources and skills not available to you. Also for automation and scalability of deception defenses, emulation is much easier than establishing hundreds or thousands of real OS honeypots. We learned from the first blog that early detection from a variety of deception defenses is critical when the knowledge gap is wide for attackers.
We lack resources and time for another defense – this statement is more reality than myth, as a shortage of skilled security analysts is well known. However, modern deception defenses use automation in multiple phases to reduce the effort required to monitor and maintain to less than one-hour per day for a tier-1 security analyst at most companies. For example, the initial discovery phase is automated to learn an environment and continuously adapt to changes and additions making deception layers as realistic and dynamic as possible. From automated discovery information, decoys and services are automatically created to match the environment. Then deployment is automated for these decoys, services, and associated breadcrumbs as lures. Detection and alerts can also be configured with automation, plus the inclusion of network and traffic analysis around decoys to automate investigation efforts and increase visibility.
Security defenses make too much noise - this is another reality we all experience with alert fatigue and chasing false positives, however, a myth for deception defenses. Fortunately for deception layers they are unknown to everyday users and therefore alerts have high fidelity with very low false positives. There are a few gray areas including: stray insiders finding a decoy, IT tools with unknown scanners, or consultants wandering around a network. However, deception defenses are pretty quiet in comparison to well known security defenses. When it comes to internal blue teams being tested by external red teams for security preparedness, deception defenses prove their value quickly for blue teams.