Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/8/2017
11:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Will Deception as a Defense Become Mainstream?

If your organization has the right resources, deception strategies offer a powerful way to slow down and entrap potential intruders.

The concept of using deception in warfare goes back to the dawn of time. Thousands of years ago, Sun Tzu wrote that "all warfare is based on deception." IT deception as a hacking defense has been around since the beginning of IT security, as well. The first reported use of it by a civilian was in 1986 by Clifford Stoll, who created fake files promising Strategic Defense Initiative secrets to lure a spy onto his network.

This trick successfully entrapped a mercenary hacker working for the KGB. If you’ve never read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, I highly recommend it. It’s a seminal work in the field of cybersecurity.

What is "deception as a defense" specifically? The most common deceptive tool is the honeypot, a fake server or network service that is meant to attract attacker attention and secretly record information about their actions. As Lance Spitzner, the progenitor of honeypots for cyber defense, said: "…whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited."

A good honeypot could be a database server appearing to store thousands of credit cards. A hot target full of data is a great lure, especially if it appears to have weak access controls and is missing patches. Deceptive tools can also be false networks and routes created to trick or entrap attackers inside your network and draw them away from key resources. Deceptive tools can also include fake data stores such as fake payment card numbers or doctored intellectual property, planted the way Cliff Stoll did. A good trick is to plant honey tokens, which are tagged usernames and passwords for attackers, and then watch where they are used elsewhere. The Honeynet Project has a comprehensive list of deceptive tools.

One thing we know for sure, deception has value in a cyber defense. Fred Cohen proved this in 2001 by performing red team testing against networks using deception versus a control group. An interesting thing he uncovered was that even on networks without deceptive devices deployed, red team attackers were slowed down. As any Dungeons & Dragons player will tell you, constantly checking for traps takes time and energy away from pillaging and plunder. To quote Dr. Cohen’s study, “Deception works. Furthermore, it works well.”

Most deception tools currently in use by civilians consist of honeypots used by threat researchers to spy on bad guys’ trends, explore botnet C&C networks, and collect malware and exploits for analysis. This is not deception to serve in the direct defense of an organization but rather to power threat intelligence and anti-virus signature feeds. Outside of civilian usage, experts have reported off the record to F5 Labs researchers that honeypots and deceptive defenses are used within law enforcement and military organizations. However, that work is secretive and difficult to describe for obvious reasons.

Despite all the tools and positive research, why hasn’t deception as a defense caught on in mainstream cyber defense? It could be as John Maxwell said, "Most people are more satisfied with old problems than committed to finding new solutions."

Without a major championing organization, a "deceptive" security control will never be featured on any mainstream best practice list. This means it won’t appear on any compliance checklist, either, so no auditor would ever accept it as a "real control." What CISO has time or budget for extra credit? Many CISO's budgets are driven by compliance and best practice requirements. Without the outside blessing of deceptive tools, it’s hard to justify the money and personnel to support such a tool.

There are other downsides to deception. For one, having fake booby-trapped IT resources on your network can confuse your IT operations team when they trip over them. If you tell the IT staff about the deception, you run the risk of leakage or informing a malicious insider. Also, the legal department may feel that active measures such as deception could represent a potential liability. Lastly, deception works best when it is tailored to the environment and matches the current IT infrastructure. This means that deceptive work needs to be customized and unique with out-of-band alarm mechanisms. So, deploying, maintaining, and monitoring deceptive tools requires a significant workload. Very few organizations have that many cycles to spare.

So far, these downsides have been enough to keep cyber deceptive tools out of the mainstream toolkit. However, if your organization has resources and wherewithal, they are worth exploring as powerful tools to slow down and even trap potential intruders.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.