Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/8/2017
11:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Will Deception as a Defense Become Mainstream?

If your organization has the right resources, deception strategies offer a powerful way to slow down and entrap potential intruders.

The concept of using deception in warfare goes back to the dawn of time. Thousands of years ago, Sun Tzu wrote that "all warfare is based on deception." IT deception as a hacking defense has been around since the beginning of IT security, as well. The first reported use of it by a civilian was in 1986 by Clifford Stoll, who created fake files promising Strategic Defense Initiative secrets to lure a spy onto his network.

This trick successfully entrapped a mercenary hacker working for the KGB. If you’ve never read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, I highly recommend it. It’s a seminal work in the field of cybersecurity.

What is "deception as a defense" specifically? The most common deceptive tool is the honeypot, a fake server or network service that is meant to attract attacker attention and secretly record information about their actions. As Lance Spitzner, the progenitor of honeypots for cyber defense, said: "…whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited."

A good honeypot could be a database server appearing to store thousands of credit cards. A hot target full of data is a great lure, especially if it appears to have weak access controls and is missing patches. Deceptive tools can also be false networks and routes created to trick or entrap attackers inside your network and draw them away from key resources. Deceptive tools can also include fake data stores such as fake payment card numbers or doctored intellectual property, planted the way Cliff Stoll did. A good trick is to plant honey tokens, which are tagged usernames and passwords for attackers, and then watch where they are used elsewhere. The Honeynet Project has a comprehensive list of deceptive tools.

One thing we know for sure, deception has value in a cyber defense. Fred Cohen proved this in 2001 by performing red team testing against networks using deception versus a control group. An interesting thing he uncovered was that even on networks without deceptive devices deployed, red team attackers were slowed down. As any Dungeons & Dragons player will tell you, constantly checking for traps takes time and energy away from pillaging and plunder. To quote Dr. Cohen’s study, “Deception works. Furthermore, it works well.”

Most deception tools currently in use by civilians consist of honeypots used by threat researchers to spy on bad guys’ trends, explore botnet C&C networks, and collect malware and exploits for analysis. This is not deception to serve in the direct defense of an organization but rather to power threat intelligence and anti-virus signature feeds. Outside of civilian usage, experts have reported off the record to F5 Labs researchers that honeypots and deceptive defenses are used within law enforcement and military organizations. However, that work is secretive and difficult to describe for obvious reasons.

Despite all the tools and positive research, why hasn’t deception as a defense caught on in mainstream cyber defense? It could be as John Maxwell said, "Most people are more satisfied with old problems than committed to finding new solutions."

Without a major championing organization, a "deceptive" security control will never be featured on any mainstream best practice list. This means it won’t appear on any compliance checklist, either, so no auditor would ever accept it as a "real control." What CISO has time or budget for extra credit? Many CISO's budgets are driven by compliance and best practice requirements. Without the outside blessing of deceptive tools, it’s hard to justify the money and personnel to support such a tool.

There are other downsides to deception. For one, having fake booby-trapped IT resources on your network can confuse your IT operations team when they trip over them. If you tell the IT staff about the deception, you run the risk of leakage or informing a malicious insider. Also, the legal department may feel that active measures such as deception could represent a potential liability. Lastly, deception works best when it is tailored to the environment and matches the current IT infrastructure. This means that deceptive work needs to be customized and unique with out-of-band alarm mechanisms. So, deploying, maintaining, and monitoring deceptive tools requires a significant workload. Very few organizations have that many cycles to spare.

So far, these downsides have been enough to keep cyber deceptive tools out of the mainstream toolkit. However, if your organization has resources and wherewithal, they are worth exploring as powerful tools to slow down and even trap potential intruders.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.