There are no end of challenges for organisations as cyber attacks continue to escalate; no matter how many well planned perimeter or end point defences are in place, attackers will find new ways to get past them.
What if we could understand what targets attackers are looking for, or what tactics they’re using, once they’ve penetrated the network?
Kevin Eley, VP EMEA of TrapX explains how a deception-based approach to security turns the tables on attackers and provides organisations with visibility of what systems or assets are being targeted - before they can compromise any real IT assets.
Typically, the cyber criminals always have the first mover advantage when it comes to launching attacks. Do organisations need to be more proactive when it comes to rooting out and identifying attacks?
In today’s environment it is clear that attackers will get inside of our networks. This must now be viewed as an inevitability. The challenge therefore is no longer keeping them out, but detecting their presence within your network at the earliest opportunity. Once identified, they can be isolated, the attack or potential attack shut down and then normal operations can be resumed. The key to proactivity is visibility. New technologies such as deception can hide amongst your real IT resources and then bait and engage the attackers. This enables you to identify the attack early and decisively shut it down.
The art of deception has long been practised by cyber criminals: how can a strategy based on deception be used by organisations to turn the tables on attackers?
Deception has long been used in warfare for many centuries. The Art of War, an old and esteemed Chinese book on the topic, discusses the many tactics that can be used to leverage deception to prevail in military conflict. Today’s modern military has taken deception further and developed a full set of policies and supporting doctrine to leverage the benefits possible.
Deception within corporate and government networks can be just as impactful. Deception technology can be used to bait, engage, and ultimately trap attackers that have penetrated your network. Deception needs to present the cyber criminals with attack surfaces that best match attacker activity. This approach surrounds the attackers with tempting targets (decoys) within the network. Everywhere they turn, they’re faced with immediate identification.
Deception tactics on users’ endpoints is known as “Bait” (or lures) which includes items such as cached credentials, database connections, network share, and more, designed to lure attackers into interacting with the network decoys. This allows modern day networks and data centre to identify attackers quickly, determine their intentions, and gather detailed forensics and evidence. This deep visibility into malicious activity within your network can minimise or eliminate the risk to intellectual property, IT assets, critical infrastructure, and impact on business. Automation tied to your network access control (NAC) can automatically and rapidly shut the attack down.
Attacks are becoming more sophisticated; how can deception be used to identify the most stealthy techniques?
Sophisticated attackers are finding ways around even the most secure perimeter defences. They have the skills and tools to remain undetected longer, often with the highest levels of privilege, maintain relentless persistence, and have the ability to bypass existing security controls as if most of them didn’t even exist.
Deception technology enables detection of early-phase reconnaissance and lateral movement, regardless of attacker tools used. Any party that seeks to identify, enter, view or interact with deception traps is immediately identified by this behaviour. If you touch these traps this is clearly a violation - you should not be doing so. So even with the stealthiest approach, attackers cannot identify a trap until they have already set off the alert and been caught.
This can minimise time-to-breach detection and reduce or eliminate potential losses when the next attack on your network predictably occurs.
How do new, emerging approaches to deception differ from traditional ‘honeypots’?
Traditional honeypots require a significant amount of manual administration and do not support the scale of typical enterprise or government customers. Honeypots are deployed one at a time, with each honeypot requiring the setup of a full operating system and associated applications, with the ongoing maintenance and manual set-up labour.
Deception technology brings simplification, automation and large enterprise scale for the deployment of hundreds to thousands of traps. Also important is the out-of-the-box integration with ecosystem technologies such as network access control (NAC) that can take indicators of compromise (IOC) data to trigger immediate isolation of an attacker.
Deception also lowers cost and substantially improves the quality of the deception through the use of emulated traps. Emulated traps can imitate a multitude of IT assets and devices including medical devices, automated teller machines, retail point of sale terminals, SWIFT financial network servers, switches, routers, workstations - a whole host of devices. These emulated traps are low in footprint, very inexpensive to deploy and automation allows this to happen with minimal effort at scale. You can deploy hundreds to thousands of these traps in a matter of hours.
Yet these emulated traps are exactly the targets which the attackers seek. These cleverly bait the attackers, get them engaged, distract them from real assets, and then allow you to shut down the attack.
Where does this approach to security fit within an organisation’s overall cyber strategy?
Organisations have begun moving from a prevention-to-detection ratio of 9:1 to a 6:4 ratio advocated by many security thought leaders. A deception infrastructure is the best way to identify attackers’ positions and gain valuable information about their techniques, tactics, and procedures.
Both Government and industry must continue to expand and grow cyberspace security strategy. Deception technology provides expanded visibility to sophisticated cyber attackers once they are active inside of the targeted networks. This expanded visibility strengthens your consolidated threat management strategy and becomes an essential part of your overall cyber strategy.
What can deception techniques help us to understand more about the cybercriminals’ activities?
Deception can help you discover:
• Where attackers are hiding in your network;
• Which systems they’re interrogating;
• What tactics they’re using;
• Whether they’re attempting to steal data; and,
• Whether they’re attempting to deploy ransomware.
Deception can do all of this without exposing your actual systems and assets. By deploying fake devices, systems, and assets among your real assets to bait attackers, deception technology shows you which systems attackers and malware are attempting to infiltrate, what lateral spread techniques are being used, and even what an attacker may already know about your network. Deception gives you the ability to see how attackers are moving in your network, their primary targets and how they are progressing, exactly, through your infrastructure.
This new information provided by deception technology can help you establish or refine your security priorities, including endpoint security, user entity and behaviour analytics, and OT/IoT security. It’s also valuable in helping you justify your current security budget and spend allocations.
How can deception as a strategy help to protect against the new wave of threats targeting IoT / connected devices?
Internet of things (IoT) devices are particularly vulnerable to attacker tools propagating through the network. Many IoT devices may have older, embedded operating systems which are closed and not accessible to your IT team. These unpatched operating systems are highly vulnerable to an attacker’s malware tools, and can be used as a foothold for the establishment of an attacker’s “backdoor.”
Further, most endpoint security and other internal cyber defence tools do not install in, nor protect, IoT devices. The security operations centre team has no visibility to an attacker’s presence within these devices.
Deception greatly enhances visibility. Deception traps will find lateral attacker movement to or from IoT devices. Almost any way an attacker moves within the network, they will trigger a deception network trap. This makes deception a leading cyber defence technology to secure IoT and connected devices in markets such as healthcare (medical devices), banking (automated teller machines), retail (retail and POS terminals) and manufacturing (industrial control systems - SCADA components).
How do you see this area of technology advancing in future?
Deception can take many forms, and as attackers evolve their techniques to infiltrate an organisation, so must the deception capabilities. Consider that deception began as imitating IT assets such as servers and workstations since that’s what attackers were seeking to exploit. Then attackers began to find ways into specialised devices like Automatic Teller Machines (ATM’s) and Point of Sale (POS) systems, and now IoT, so must deception follow.
To keep ahead of attackers, the industry is moving towards a full stack architecture. We call this a “deception in depth” architecture. That is to say, the future requires an integrated platform that includes all of the deception techniques available and supports the best practices in deployment to make these techniques successful.
A full deception in depth architecture would include:
● Tokens or lures deployed on endpoints that entice attackers to traps or fake IT resources. These lures would be interspersed within your real IT resources and then lead the attackers to the deception traps in your network. Nothing is more tempting to an attacker than fake credentials and passwords.
● A facade of fake network traffic between the traps to distract and confuse attackers in the earliest phase of their reconnaissance within your networks.
● Medium interaction or emulated traps that enable a broad diversity of deployed fake assets to be deployed easily, and at the lowest cost. Emulations exist for medical devices, automated teller machines, industrial control system components, switches, workstations and much more.
● Full interaction traps. Full interaction traps or full operating systems traps (full OS) enable the deepest attacker engagement and diversion. They are relatively the most expensive to deploy so it is ideal if the emulated traps can extend, perhaps by proxy, to these full OS traps.
The longer term of deception is unlimited. As long as infrastructures evolve, and new technologies are introduced, deception has to follow. The key to this evolution is to keep it simple: to deploy, frictionless for ongoing maintenance and ensure believability with attackers.
Kevin Eley, VP EMEA, TrapX
Image Credit: Wright Studio / Shutterstock