In my previous column, I wrote about how to “think like an attacker,” and one of the primary reasons for doing so is being able to leverage the attack surface to your advantage. With technology advancing at such a rapid pace, attackers have a larger playground, and cybersecurity is always in a catch-up/reactive mode. Moving applications and data to the cloud? Great, but have you put proper defenses in place as part of this? Enterprise IoT, BYOD, endpoints that aren’t on the corporate network… the attack surface is playing right into the hands of the attackers as they have more opportunities to exploit. Meanwhile, defenders have a wider terrain to protect. Oftentimes security teams don’t even have the visibility of everything in their environment – these blind spots are where attackers hide as they look to move laterally throughout the network and ultimately steal sensitive data or disrupt business operations.
The Moving Target Defense
While you can decrease your risk by patching vulnerabilities and decommissioning old assets, patching vulnerable assets can be challenging, especially if they are legacy or shadow IT (IT applications and infrastructure that are managed and used without the knowledge of the enterprise’s IT department). Alternatively, with a terrain-based approach, which relies on the concept of moving target defense, you can alter the attack surface to your advantage over the attacker. What do I mean by this? It’s much harder to hit the bullseye on a moving target versus one standing in place. If the target is static, attackers can bide their time while studying and learning about communication paths and optimal techniques for exploitation and compromise.
However, if you add unexploitable terrain disguised as exploitable terrain, you can massively impact the attacker’s perception and confidence. Expanding your overall amount of terrain with “vulnerable decoys” and deploying “breadcrumbs” to real assets will make the attacker think the target is much larger and more exploitable than it actually is. As a result, more of the attacker’s shots will miss. If you then constantly move the unexploitable terrain around, the attacker never knows if he is shooting at a fake target or the real one – essentially forcing the attacker to shoot at a moving target that is much harder to hit.
Changing the Terrain with Deception Technology
This terrain-based approach leverages deception technology, which essentially is a smart alarm system that adds an additional layer of visibility.
Sophisticated deception technology can automatically place decoys and breadcrumbs in your environment that send high fidelity signals when touched, indicating when an intruder is moving laterally within your environment. With deception, you can actually warp the perception of the attack surface, so the attacker potentially sees a target friendly environment. What exactly do I mean by this? To put it plainly, you can make 100 endpoints look like 1,000 or even 10,000 endpoints. So as the attacker is looking for assets like ERP, server, financial systems, databases, HR information, etc. they will run into decoys that mimic their target.
The deception environment is full of alarm triggers and convincing decoys (emulation or OS-based) deployed with breadcrumbs (e.g. credential & active directory, file & data, network, and application) in real time to misdirect an attacker. By adding multiple decoy assets into the environment and extending the overall terrain, the percentage of exploitable attack surface drops and with it, so does the risk. You’ve ultimately made it that much harder for the attacker to determine their next move without being caught, slowing them down, while also increasing their risk and overall cost of doing business.
How to Alter the Attack Surface to Your Advantage
First you have to compute your vulnerable attack surface, which means knowing what’s in your environment – e.g., what assets, what software, what communication paths and services. Most companies have normal networking environments with laptops, desktops, servers, data centers on-premises or cloud, and enterprise IoT devices (i.e. printers, smart lighting, cameras). Deception defenses should automatically map networks, classify assets, and learn activity to create a rich profile base of the environment. Decoys can then be automatically generated to be as realistic as possible to the real environment with very little manual effort.
Deception can leverage automation for scale to emulate systems, networks, services and common applications for medium interaction with attackers to divert them from real resources and provide time to defend. Deception can also include fake users in Active Directory showing activity with decoys and breadcrumbs to lure attackers. However, as you move closer to custom data and custom applications, then manual effort and perhaps professional services will be required. Also, fake custom data needs to be real enough for attackers, however, not a liability to your company if exposed. For unique environments with custom applications, a VM-based decoy maybe your only option and one you should watch closely.
For deception to be effective, it needs to mirror the current environment, and must change regularly to maintain freshness and avoid fingerprinting by attackers. Deception defenses can automatically adapt to changes in networking and resources given they keep a rich profile from automated discovery used during decoy creation. Manually created decoys, however, will likely require increased effort to keep pace with the changing environment and freshness cycles. Creating and deploying deception layers is only one-half of the effort – maintaining, adapting and changing decoys and breadcrumbs for freshness is the second half. Automated adaptation of deception defenses is not only preferable but required to keep deception layers as realistic as possible and minimize manual effort.
Attackers conduct recon on environments to understand breaks in the attack surface. Dynamically altering the percentage of exploitable terrain can increase their cost, risk, and the overall complexity of their operations. Deception technology offers an alternative strategy that can shift the advantage back to the enterprise. By using decoys to capture adversary tools, to understand their techniques, and to detect their actions during early attack phases (reconnaissance, initial infiltration, and lateral movement), security teams can detect the problem early and avoid long dwell times.