Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/8/2017
11:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Will Deception as a Defense Become Mainstream?

If your organization has the right resources, deception strategies offer a powerful way to slow down and entrap potential intruders.

The concept of using deception in warfare goes back to the dawn of time. Thousands of years ago, Sun Tzu wrote that "all warfare is based on deception." IT deception as a hacking defense has been around since the beginning of IT security, as well. The first reported use of it by a civilian was in 1986 by Clifford Stoll, who created fake files promising Strategic Defense Initiative secrets to lure a spy onto his network.

This trick successfully entrapped a mercenary hacker working for the KGB. If you’ve never read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, I highly recommend it. It’s a seminal work in the field of cybersecurity.

What is "deception as a defense" specifically? The most common deceptive tool is the honeypot, a fake server or network service that is meant to attract attacker attention and secretly record information about their actions. As Lance Spitzner, the progenitor of honeypots for cyber defense, said: "…whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited."

A good honeypot could be a database server appearing to store thousands of credit cards. A hot target full of data is a great lure, especially if it appears to have weak access controls and is missing patches. Deceptive tools can also be false networks and routes created to trick or entrap attackers inside your network and draw them away from key resources. Deceptive tools can also include fake data stores such as fake payment card numbers or doctored intellectual property, planted the way Cliff Stoll did. A good trick is to plant honey tokens, which are tagged usernames and passwords for attackers, and then watch where they are used elsewhere. The Honeynet Project has a comprehensive list of deceptive tools.

One thing we know for sure, deception has value in a cyber defense. Fred Cohen proved this in 2001 by performing red team testing against networks using deception versus a control group. An interesting thing he uncovered was that even on networks without deceptive devices deployed, red team attackers were slowed down. As any Dungeons & Dragons player will tell you, constantly checking for traps takes time and energy away from pillaging and plunder. To quote Dr. Cohen’s study, “Deception works. Furthermore, it works well.”

Most deception tools currently in use by civilians consist of honeypots used by threat researchers to spy on bad guys’ trends, explore botnet C&C networks, and collect malware and exploits for analysis. This is not deception to serve in the direct defense of an organization but rather to power threat intelligence and anti-virus signature feeds. Outside of civilian usage, experts have reported off the record to F5 Labs researchers that honeypots and deceptive defenses are used within law enforcement and military organizations. However, that work is secretive and difficult to describe for obvious reasons.

Despite all the tools and positive research, why hasn’t deception as a defense caught on in mainstream cyber defense? It could be as John Maxwell said, "Most people are more satisfied with old problems than committed to finding new solutions."

Without a major championing organization, a "deceptive" security control will never be featured on any mainstream best practice list. This means it won’t appear on any compliance checklist, either, so no auditor would ever accept it as a "real control." What CISO has time or budget for extra credit? Many CISO's budgets are driven by compliance and best practice requirements. Without the outside blessing of deceptive tools, it’s hard to justify the money and personnel to support such a tool.

There are other downsides to deception. For one, having fake booby-trapped IT resources on your network can confuse your IT operations team when they trip over them. If you tell the IT staff about the deception, you run the risk of leakage or informing a malicious insider. Also, the legal department may feel that active measures such as deception could represent a potential liability. Lastly, deception works best when it is tailored to the environment and matches the current IT infrastructure. This means that deceptive work needs to be customized and unique with out-of-band alarm mechanisms. So, deploying, maintaining, and monitoring deceptive tools requires a significant workload. Very few organizations have that many cycles to spare.

So far, these downsides have been enough to keep cyber deceptive tools out of the mainstream toolkit. However, if your organization has resources and wherewithal, they are worth exploring as powerful tools to slow down and even trap potential intruders.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.