Volume of work is one of the biggest problems faced by security teams. Modern anomaly detection systems return hundreds or even thousands of alerts on potential threats every day — and each one needs examination and possible response. But often the majority of these are false positives. With the cost of skilled security staff increasing, and the available pool of skilled new staff decreasing, this is a major and unnecessary cost.
One approach is to reduce the sensitivity of the anomaly sensors, whether technical or human, to reduce the number of alerts that require investigation — but this correspondingly increases the possibility of false negatives. The potential for false negatives is even more worrying than the cost of false positives. But there is a system that can detect threats with almost and potentially zero false positives: deception technology.
Deception is not a new technique in the battle against cybersecurity adversaries. A honeypot, the precursor of modern deception technology, is a deceptive system used to attract and gather threat intelligence to improve security products or network defense. Sink-holed C&C servers are designed to deceive malware into contacting law enforcement or white hat researchers rather than the criminal masters.
Where the new deception technology differs from other forms of technology is that it is on-premise, network-specific, designed to detect existing intrusions, and return that breach intelligence directly to the network’s security team.
It is the civilian and cyber application of MILDEC, or military deception, which is defined as “actions executed to deliberately mislead adversary military, paramilitary, or violent extremist organization (VEO) decision makers, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.”
The cyber application of this concept is surprisingly simple: a false, decoy network running on-existing infrastructure, but unused by any genuine staff. Any and all anomalous activity on this network is evidence of an intruder or malicious insider – with zero false positives. It is, says Rick Moy, CMO at threat detection firm Acalvio, “another form of threat detection that uses fake assets as tripwires.”
The decoy network
The key to a good decoy network is its believability. It must not be too heavily guarded that it cannot be breached, nor must it be so vulnerable it cannot be believed. If attackers can recognize a decoy, they can avoid it; so, it must look, feel and behave like the rest of the network.
“Think of deception as camouflage,” explains Chris Roberts, chief security strategist at deception firm Attivo Networks. “A well-designed deceptive strategy blends into an environment — no matter if it’s enterprise, IoT, ICS or anything else. It doesn’t care if you are on premise or in the cloud. It simply blends in and protects. Deception done right spreads its net across devices, users, accounts, files, folders, shares, printers and all other elements in a network, effectively blending in, communicating ‘as’ a network to a point where an attacker should not be able to tell the differences.”
This is the primary difference between deception and honeypot. The original honeypots were very static in nature. “They don’t modify behavior to mimic or entice human attackers in a compromised network, whereas deception technologies do, making them more effective,” explains Joe Neumann, principal consultant of penetration testing at Coalfire.
Honeypots still have their place but should be considered as a separate product to deception technology. “A honeypot still has uses – the newer, more augmented ones have a place,” says Roberts. “However, with the early detection, intelligence and integration capabilities of deception along with the incident response capabilities, the game has been upped and the honeypot of old has been armed, given better teeth, more firepower, a bigger brain, easy controls, and sent out into the field to actively defend an organization, while bringing some semblance of metrics and maturity along with it.”
A second difference is that deception technology is fully integrated with other aspects of the security suite, with IDS and IPS and firewalls. The basic idea is that you detect all intruders that manage to breach traditional controls, but with absolute – or almost absolute certainty – that it is not a false positive.
For an attacker, the decoy network should be indistinguishable from the real network. Set-up is best done automatically by a system that maps the real network and defines the content and positioning of decoys.
“By placing attractive files and computers and other bait throughout a network,” says Acalvio’s Moy, “defenders can proactively set traps for attackers who are able to penetrate standard defenses. A high confidence alert is created when an attacker touches a bait or decoy or uses a fake credential.”
The decoy must include bait in the form of breadcrumbs, lures and credentials laid down to guide attackers away from the real network and into the decoy network, where they can be contained, monitored and analyzed. “It works by deploying endpoints, devices, and crumbs of intelligence throughout the network,” continued Attivo’s Roberts. “It also works by communicating and therefor maintaining a level of activity on the very network to again blend in and appear exactly as any other device that’s there.”
As soon as an attacker touches any part of the decoy network, a high confidence alert is sent to the security team – nobody has a legitimate reason for being there.
Benefits of deception
The primary benefit of deception technology is rapid detection with minimal or zero false positives. Set correctly, attackers are lured into the decoy network. This doesn’t guarantee that there are no other intruders, so deception technology is not a replacement for other security controls. Nevertheless, good deception will detect and control the intruder before any damage can be done.
Once detected, the intruder can be contained and monitored – and expelled at will. This process turns the tables on the intruder, who thought he was attacking a victim. “Optionally,” says Moy, “security teams can opt to deceive and delay adversaries inside a virtual hall of mirrors away from production assets.”
This allows the defenders to extract indicators of compromise for intelligence sharing, and perhaps more importantly, to use forensics to find and remediate the initial entry point. This is proactive defense – remediation can be applied pre- not post-exfiltration.
Since the technology depends on detection of presence rather than known signatures or known behaviors, it will detect all forms of intrusion and intruder whether that’s a cybercriminal, a contractor doing more than the contract specifies, or even an employee seeking information on an upcoming merger or acquisition.
Weaknesses in the deception approach
The primary weakness with deception technology is cost. “Deception technology doesn’t immediately show a return on investment,” explains Coalfire’s Neumann, “so it is a hard sell to most business-decision-minded organizations. Most organizations focus budgets on prioritizing basic fundamentals, such as firewalls, email protection, endpoint security, and user education. Deception technology is near the bottom of a prioritized list of tactics.”
Developing deception in-house on the cheap is tempting and possible, but dangerous. Getting the right level of defense in the decoys is imperative. “The key to deception is to make sure the applications, systems, and network devices are only vulnerable enough to be believable,” explains Brad Bussie, MD of security strategy at Trace3. “The last thing a defender wants is to deploy deception technology that is too vulnerable to be believable.”
If an attacker can recognize deception, he will either simply leave (which in one sense is ‘job done’) or avoid the decoys (which makes the cost and expense of the technology worthless).
“Another problem that quickly prevents deception from working,” added Bussie, “is something as innocent as putting a company logo on the website of a well-known deception vendor. This happens more than you might think. Companies should practice more security by obscurity rather than saving money on a technology acquisition in exchange for an endorsement or logo.”
Quoting Sun Tzu is common in cybersecurity – but that’s because his commentaries from 2,500 years ago remain apt for the modern cyber battlefield. He got deception technology right: “I make the enemy see my strengths as weaknesses and my weaknesses as strengths while I cause his strengths to become weaknesses and discover where he is not strong… I conceal my tracks so that none can discern them; I keep silence so that none can hear me.”
This is the basis of deception technology. It reverses the common situation. The stealthy cyber-attacker becomes the stealthy cyber-attacked. As Chris Roberts puts it, “it works and it’s one of the last bastions of active asymmetrical defense that we have to help the blue teams finally start to gain ground on defending their organizations.”