Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/8/2017
11:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Will Deception as a Defense Become Mainstream?

If your organization has the right resources, deception strategies offer a powerful way to slow down and entrap potential intruders.

The concept of using deception in warfare goes back to the dawn of time. Thousands of years ago, Sun Tzu wrote that "all warfare is based on deception." IT deception as a hacking defense has been around since the beginning of IT security, as well. The first reported use of it by a civilian was in 1986 by Clifford Stoll, who created fake files promising Strategic Defense Initiative secrets to lure a spy onto his network.

This trick successfully entrapped a mercenary hacker working for the KGB. If you’ve never read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, I highly recommend it. It’s a seminal work in the field of cybersecurity.

What is "deception as a defense" specifically? The most common deceptive tool is the honeypot, a fake server or network service that is meant to attract attacker attention and secretly record information about their actions. As Lance Spitzner, the progenitor of honeypots for cyber defense, said: "…whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited."

A good honeypot could be a database server appearing to store thousands of credit cards. A hot target full of data is a great lure, especially if it appears to have weak access controls and is missing patches. Deceptive tools can also be false networks and routes created to trick or entrap attackers inside your network and draw them away from key resources. Deceptive tools can also include fake data stores such as fake payment card numbers or doctored intellectual property, planted the way Cliff Stoll did. A good trick is to plant honey tokens, which are tagged usernames and passwords for attackers, and then watch where they are used elsewhere. The Honeynet Project has a comprehensive list of deceptive tools.

One thing we know for sure, deception has value in a cyber defense. Fred Cohen proved this in 2001 by performing red team testing against networks using deception versus a control group. An interesting thing he uncovered was that even on networks without deceptive devices deployed, red team attackers were slowed down. As any Dungeons & Dragons player will tell you, constantly checking for traps takes time and energy away from pillaging and plunder. To quote Dr. Cohen’s study, “Deception works. Furthermore, it works well.”

Most deception tools currently in use by civilians consist of honeypots used by threat researchers to spy on bad guys’ trends, explore botnet C&C networks, and collect malware and exploits for analysis. This is not deception to serve in the direct defense of an organization but rather to power threat intelligence and anti-virus signature feeds. Outside of civilian usage, experts have reported off the record to F5 Labs researchers that honeypots and deceptive defenses are used within law enforcement and military organizations. However, that work is secretive and difficult to describe for obvious reasons.

Despite all the tools and positive research, why hasn’t deception as a defense caught on in mainstream cyber defense? It could be as John Maxwell said, "Most people are more satisfied with old problems than committed to finding new solutions."

Without a major championing organization, a "deceptive" security control will never be featured on any mainstream best practice list. This means it won’t appear on any compliance checklist, either, so no auditor would ever accept it as a "real control." What CISO has time or budget for extra credit? Many CISO's budgets are driven by compliance and best practice requirements. Without the outside blessing of deceptive tools, it’s hard to justify the money and personnel to support such a tool.

There are other downsides to deception. For one, having fake booby-trapped IT resources on your network can confuse your IT operations team when they trip over them. If you tell the IT staff about the deception, you run the risk of leakage or informing a malicious insider. Also, the legal department may feel that active measures such as deception could represent a potential liability. Lastly, deception works best when it is tailored to the environment and matches the current IT infrastructure. This means that deceptive work needs to be customized and unique with out-of-band alarm mechanisms. So, deploying, maintaining, and monitoring deceptive tools requires a significant workload. Very few organizations have that many cycles to spare.

So far, these downsides have been enough to keep cyber deceptive tools out of the mainstream toolkit. However, if your organization has resources and wherewithal, they are worth exploring as powerful tools to slow down and even trap potential intruders.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.