Deception As a Strategy for Cyber Security
We have learned deception from nature, we see plants, insects and animals are using deception in two ways.
- Predators use mimicry and enticement to lure the victims
- Camouflage as a survival technique
Since ancient days human beings are using the deception to win over the opponents. The famous book Art of the War by Sun Tzu provides details of deception techniques to be used in the war.
In this internet era, interconnectedness and proliferation of IoT devices in personal and business use, a cyber-attack can have potential to create a war like situation. Identifying these attacks and mitigating at earliest is one of the biggest challenges CISOs are facing today. These attacks can cause reputational and financial damage.
The Ponemon Institute’s 2016 “Cost of Data Breach Study ” reports: Global Analysis estimated that the average total cost of a data breach in 2016 was $4 million and Juniper Research predicts that cybercrime will cost $2.1 trillion globally by 2019, averaging $150 million per breach by 2020.
The current perimeter security defense is ineffective. For example, multilayer firewalls and network intrusion prevention techniques are becoming porous as the organizational perimeters are dissolving due the disruptive technologies like cloud and mobility.
Security monitoring is another technique which is widely used to detect the anomalies in the organizational environment, this is also futile effort because of the enormous volume of data, cost and time associated with the analysis are high.
The ancient war strategies by Sun Tzu says:
“Know thy self, know thy enemy. A thousand battles, a thousand victories”
To know the vulnerabilities those can be exploited we can use the testing techniques which has capabilities to identify known vulnerabilities only.
To understand how those known and unknown weaknesses can be exploited by hackers, we need to have different techniques, the famed Hacker, Kevin Mitnick in Book “Art of Deception” states:
“If deception can be used to attack, can it also be used in cyber defense?”
It is time for enterprises and governments to get proactive and use deception technologies to enhance security architecture and redefine security strategy.
One of the most widely accepted definitions “Cyber deception is a deliberate and controlled act to conceal networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness, and to influence and misdirect adversary perceptions and decision processes.”
Honeypots are the backbone of the first iteration of deception techniques. Honeypots are separate from the organization enterprise network and it is set-up with enterprise applications with dummy data to attract the hackers/attackers.
There are two types of honeypots “Low Interaction” and “High Interaction“
Low interaction honeypot can just a single computer system, this system has limited capability of emulating enterprise application and be used only for detection from where the attackers are coming and what they want to exploit. These are easy for attackers to fingerprint and bypass.
High Interaction Honeypots are identical to the enterprise systems and can run real operating systems, applications, services with dummy data, they allow the attacker to log in and responds to the attackers request to understand their intentions, lures them for a long time to identify how command and control infrastructure is set-up.
The second generation deception systems are pervasive deception. These systems are more advanced has four parts, decoy, breadcrumbs, baits, and lures. These systems are implemented alongside with enterprise systems but still in the isolated environment. They are used to interrupt the attackers kill chain, prolong the attack either to exhaust the attacker’s resources or encourage the attackers by providing oblivious vulnerabilities to know the identity and details of their network and arsenals.
To deploy enterprise-scale deception strategy for cyber security requ. These deception systems need to changes as the enterprise architecture changes. This also needs the feeds from the threat intelligence so it can keep up-to-date to lure the attackers.
Following steps should be taken while planning the deception strategy :
- Adversary profiling — Analyze deception systems to identify host visited, vulnerabilities exploited, tools or malware used for attack
- Advisory tracking — Analyze the deception data to find out attackers entry point and vulnerabilities
- Attack Analysis and feeds back to patch vulnerabilities in enterprise network
- Threat Hunting — Relating the deception finding with security alerts and developing playbooks that can be used by security analyst to hunt down the threat in the enterprise network.
Deception Solution vendors
Deception technology market is evolving rapidly following are the five vendors got highlighted in RSA Security conference:
- Illusive Network — We gathered top cyber-attack specialists from Unit 8200 (Israel’s elite cyber security Intelligence Corps) together with pioneering experts and entrepreneurs with over 50 years of collective experience in cyber warfare and cyber security. illusive was built to challenge the most critical cyber threat facing organizations today — targeted attacks.
- Attivo Networks — Attivo Networks is an award-winning provider of deception for in-network threat detection, attack forensic analysis, and continuous threat response. Stop attackers in their tracks with the real-time detection of threats that have bypassed prevention security systems. The Attivo Networks Deception and Response Platform changes the balance of power with sophisticated deception technology that deceives an attacker into revealing themselves. Detailed attack analysis and forensics accelerate incident response and provide protection against future cyber attacks
- Aclvio — Traditional network and endpoint prevention technologies offer too little, too late. Big data security analytics solutions require too many resources and generate too many false positives. Deception 2.0 helps you quickly and accurately detect true positive security events inside your network. Engage and delay attackers from valuable production assets. Use path analysis to profile them and prioritize hunting and proactive remediation efforts.
- Trapx Security — TrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our field-proven solution deceives would-be attackers with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual minefield for cyber attacks, alerting you to any malicious activity with actionable intelligence immediately
- Cemmetria — Founded in 2014, Cymmetria is a cyber deception startup focused on changing the asymmetry of cyber security, tilting the traditional security odds so that hackers are the ones who are left vulnerable.