Vulnerabilities / Threats

12/18/2017
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Advanced Deception: How It Works & Why Attackers Hate It

While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.

The second of a two-part post on deception.                                       

Distributed deception platforms have grown well beyond basic honeypot trapping techniques and are designed for high-interaction deceptions, early detection, and analysis of attackers' lateral movement. Additionally, deception platforms change the asymmetry of an attack by giving security teams the upper hand when a threat enters their network and forcing the attackers to be right 100% of the time or have their presence revealed, and by providing decoys that obfuscate the attack surface and through valuable threat intelligence and counterintelligence that is required to outmaneuver the advanced human attacker.

Given the increasing number and sophistication of today's breaches, it's not surprising that deception is gaining widespread attention. Neil MacDonald from analyst group Gartner recently recommended it as a 2017 top 10 cybersecurity initiative. Research and Markets has noted the global deception market is expected to grow to $2.12 billion by 2021.

There are a variety of deception solutions available that range from very simple traps to fully automated deception platforms. While individual deceptions offer benefits within their approach, this post focuses on the features common to the distributed deception platforms available on the market that are most actively sought out based on their comprehensive detection and response to advanced threats.

How Deception Works
Fundamentally, deception is designed to detect attackers when they conduct reconnaissance by moving laterally from the initially compromised system, and when they seek to harvest credentials from other systems. The assumption with deception is that no one should be engaging with the deception servers, decoys, lures, or bait because they provide no production capabilities that employees would access. Deception assets aren't advertised to employees, so any reconnaissance activity is a red flag and any engagement should prompt immediate action to prevent attackers from escalating their invasion.

Changing the Asymmetry on Attackers
Deception technology plays an instrumental role in changing the asymmetry of attacks. However, for deception to work, you need authenticity and attractiveness to fool savvy human attackers. Active Directory credential verification authenticates deception credentials as attractive targets. Deception that runs real operating systems and provides customization to match the production environment will appear authentic and trick attackers into revealing their presence. Facades built on emulation can be identified quickly and avoided by attackers. Dynamic behavioral deception techniques improve deception with machine learning that adapts to the behavior of the network, applications, and device profiles and continually refresh to remain attractive.

Additionally, adaptive deception lets organizations reset the deception synthetic network on demand. If you're suspicious of attack activity, resetting the attack surface will avoid attacker fingerprinting that could be used to mark and avoid decoys, create uncertainty, and increase the likelihood of an attacker making a mistake. The increased complexity and cost of restarting will slow an attack and serve as a deterrent, driving the attacker to start over or seek out an easier target.

Early and Accurate Detection
Deception-based detection is designed to detect in-network attackers early, regardless of the attack vector. Unlike other forms of detection, the solution does not require time to learn the network and is effective upon deployment. The network, endpoint, data, application, and Active Directory deceptions work collectively to detect lateral movement, credential theft, man-in-the-middle efforts, and Active Directory attacks.

Comprehensive Deployment
Today's threat landscape and attack surfaces are ever-changing, and detection methods must adapt to provide early detection of threats at the endpoint, and as they move through the network. Comprehensive deception technology scales to the evolving attack surfaces and detects threats throughout user networks, remote office/branch offices, and data centers, and supports data migration to the cloud as well as specialized networks such point-of-sale systems. Out-of-band deployments provide the best operational efficiency and scalability, and agentless endpoint deception simplifies deployment and manageability. If your organization uses an endpoint detection and response solution, look for vendors with integrations that provide automated deployment and integrated management options.

Attack Analysis, Forensic Reporting, and Integrations
Deception platforms with attack threat analysis will save time in automating the analysis and correlation of indicators of compromised information, which can then be used to accelerate incident response. Threat intelligence and forensic evidence reporting let organizations capture and catalogue all attack activity to support understanding of the attacker's objectives, which can lead to better overall security. Deception solutions capture attacker behavior and through integrations share the full tactics, techniques, and procedures of the engagement with firewalls, security and event management systems, network access control products, and endpoint devices. These integrations also empower automated blocking and isolation of infected endpoints.

Through the use of files that contain fake sensitive data, and beaconing technology that calls back when accessed by attackers, counterintelligence can be gathered on which types of files were stolen and for insight into where the data ends up.

High-Interaction Deception
Deception slows the attack as threat actors get lost in the deception environment while thinking they are escalating their attack. The use of adaptive deception creates complexity for the attacker by dynamically changing the perceived attack surface on attackers, increasing their cost, and acting as a deterrent. Notably, this ability to obfuscate the attack surface has proven itself with pen testers, who have also fallen prey to the deception environment and been tracked for days, only to find themselves defeated.

In addition, high-interaction deception for ransomware can slow down an attack by 25x or more. Deception-mapped drives lure attackers and feed them reams of fake data to keep them busy while the infected system is isolated from the network.

Ease of Operations and Risk Insight
Deception makes it easy to deploy solutions for detecting and responding to threats —important in this age of staff shortages. Deception not only strengthens defenses with early and accurate engagement-based detection but also plays a critical role in deterring attacks with visibility tools to assess likely attack paths, time-lapsed maps of attacker movement, and integrations for accelerated incident response. 

While cyberattacks grow in number and sophistication, deception-based technology is providing accurate, scalable detection and response to in-network threats. Organizations increasingly are turning to deception to close the detection deficit and to gain an advantage over attackers with the ability to perform counterintelligence, increase their costs, and slow their attacks. 

Read part one: Deception: Why It's Not Just Another Honeypot.

Related Content:

Carolyn Crandall is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. She has a demonstrated track record of successfully taking companies from pre-IPO through to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/12/2018 | 8:36:52 AM
Re: First problem that comes to mind is
How much risk by not knowing?  Answer:  Equifax - near total destruction of trust.

How much will it cost:  Answer: Equifax shareholder value loss and potential loss of C-Suite job.

I think executives would understand the simple answer. 
ctcrandall
50%
50%
ctcrandall,
User Rank: Author
1/11/2018 | 2:41:30 PM
Re: First problem that comes to mind is
It is extremely difficult for CISOs to understand the value behind over 3000 security offerings. Deception technology gets no special exemption from this challenge. The question to ask the C-Suite is how confident are they in knowing if threats have bypassed security controls and are mounting an attack within their network. If they are not 100% confident (who really can be sure?), then deception is an accurate and efficient solution for early threat detection. Does it work? It's pretty easy to test in a POC or stand up during a Pen Test. So, it really boils down to how much risk are they willing to take by not knowing and what will it cost if they are wrong.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/5/2018 | 1:22:49 PM
First problem that comes to mind is
Getting approval from the dumb C-Suite to spend actual and for real MONEY on a server structure that does NOTHING perse but emulates something else.  They would not get the benefits and risk-rewards involved and view it as a line-item expense only. 
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
The Browser Is the New Endpoint
Rajesh Ranganathan, Product Manager at ManageEngine,  10/23/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.