Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Fake Data and Fake Information: A Treasure Trove for Defenders

Cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways.

No one wants to believe that fake data can influence them, but evidence of its impact is all around us. Studies have shown that fake news can influence how we vote, what we buy, who we support, and what we do. This can transpire through dedicated misinformation campaigns, deceptively edited videos, and the use of technologies like social media bots and deepfakes, which make it difficult to decipher what is real from what is fake.

Related Content:

The Fatal Flaw in Data Security

Special Report: Computing's New Normal, a Dark Reading Perspective

However, while the impact that fake information can have is often concerning, it can also be a tool used for good. Today's cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways. 

Attackers Want Data, So Why Not Give It to Them?
Attackers don't inherently know the details of a network or have the privileges they need to steal or encrypt information. Conventional wisdom says to do everything possible to deny an attacker access to any data, but cyberattackers are persistent and will keep coming back until they gain the data they seek. Today's cybersecurity professionals are increasingly employing a new strategy, which includes the hiding of real information and the sending of false information designed to get attackers to reveal their attack secrets, disclose their presence, and control their paths away from critical assets and into the trap of a decoy.

By allowing attackers and their automated tools to believe they are getting what they are after, defenders can lead attackers into a deception server that appears to contain the database, web server, application, or other assets that the adversary was looking for. Because they have been fooled into believing that they have found the info they need, they will continue forward in their "attack," revealing valuable intelligence to the security team on their attack tactics and intent.

It is fun to muse on how this sort of trickery is turning the attacker's beloved tactics of deception against them. Attackers use false information all the time, like spoofing an email address or including a malicious link in a phishing email. Instead of tricking users into giving up their credentials, defenders can now trick attackers into believing they have acquired the real credentials, admin accounts, and other secrets that they need to advance their attacks. In cybersecurity, this turnabout is undoubtedly fair play.

Spies and double agents have kept their enemies off-guard for hundreds of years. At its core, deception shapes the actions of people in the direction you want them to go, whether that comes in the form of convincing the enemy to send their army to another region, as happened in WWII, or in current times, where information is manipulated to influence voters toward a particular candidate. In cybersecurity, as in war, the goal is to give attackers information that leads them to do what defenders want them to do instead of what they are attempting to do.

How Fake News (and Fake Data) Work
There are specific actions that defenders can take to improve their odds of successfully derailing an attack, and the first step is concealment. Hide the data, files, folders, Active Directory (AD), and other assets that attackers are after, making sure that real data is easily viewable and accessible to employees, but not easily visible to an attacker. This is pretty straightforward, in that an employee will use a file manager, while an attacker will use command line or tools like Netcat. This, along with the ability to deny access, can be quite powerful: A cybercriminal cannot encrypt, erase, or steal what they cannot find.

The next step is to strategically place fake data that appears to be real within the network so that as attackers take different actions attempting to access that data, the simulated data can lead them into an environment where defenders can gather information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and other valuable intelligence. By using fake data to trick attackers into tipping their hands, defenders can gather real data that will enable them to craft even more effective deceptions. Because they know more about the people attacking them, defenders can better fortify their defenses in the future.

There are specific steps that defenders can take to protect certain high-value targets as well.

  • Attackers often prioritize AD in the hopes of acquiring admin-level credentials that can accelerate and escalate their movement through the system. Placing a phony AD server and planting fake credentials at the endpoint that answer the attackers' queries with false information and credentials can make the attackers believe they got what they were after — but the second they try to use those credentials, defenders are alerted to their presence.

  • Likewise, if attackers are looking for applications with known vulnerabilities to exploit, feeding them a fake application or web server when they scan the ports in question can derail those efforts. This will again make them think they can exploit those vulnerabilities when, in reality, they have played right into the defender's hands.

Better Denial and Deception Means Better Protection
If you've ever played poker, you've likely engaged in the tactic of misinformation —  that's what a bluff is. A good bluff can force someone into a wrong decision or action because misinformation provides a mistaken impression about what is really going on. If you can convince an opponent to fold their three-of-a-kind or go all-in on a pair of twos, you will likely profit from their bad decisions.

Attackers with the wrong information in the cyber realm make similarly bad decisions. Whether by misleading them into interacting with a fake web server or using a set of decoy credentials, feeding false information to cybercriminals can trick them into giving themselves away before they can do damage. By allowing infosec teams to leverage those mistakes to not only detect and derail attacks but also continue to gather adversary intelligence on the attacker, fake data can help turn the battlefield in the defender's favor.

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...