Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Fake Data and Fake Information: A Treasure Trove for Defenders

Cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways.

No one wants to believe that fake data can influence them, but evidence of its impact is all around us. Studies have shown that fake news can influence how we vote, what we buy, who we support, and what we do. This can transpire through dedicated misinformation campaigns, deceptively edited videos, and the use of technologies like social media bots and deepfakes, which make it difficult to decipher what is real from what is fake.

Related Content:

The Fatal Flaw in Data Security

Special Report: Computing's New Normal, a Dark Reading Perspective

However, while the impact that fake information can have is often concerning, it can also be a tool used for good. Today's cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways. 

Attackers Want Data, So Why Not Give It to Them?
Attackers don't inherently know the details of a network or have the privileges they need to steal or encrypt information. Conventional wisdom says to do everything possible to deny an attacker access to any data, but cyberattackers are persistent and will keep coming back until they gain the data they seek. Today's cybersecurity professionals are increasingly employing a new strategy, which includes the hiding of real information and the sending of false information designed to get attackers to reveal their attack secrets, disclose their presence, and control their paths away from critical assets and into the trap of a decoy.

By allowing attackers and their automated tools to believe they are getting what they are after, defenders can lead attackers into a deception server that appears to contain the database, web server, application, or other assets that the adversary was looking for. Because they have been fooled into believing that they have found the info they need, they will continue forward in their "attack," revealing valuable intelligence to the security team on their attack tactics and intent.

It is fun to muse on how this sort of trickery is turning the attacker's beloved tactics of deception against them. Attackers use false information all the time, like spoofing an email address or including a malicious link in a phishing email. Instead of tricking users into giving up their credentials, defenders can now trick attackers into believing they have acquired the real credentials, admin accounts, and other secrets that they need to advance their attacks. In cybersecurity, this turnabout is undoubtedly fair play.

Spies and double agents have kept their enemies off-guard for hundreds of years. At its core, deception shapes the actions of people in the direction you want them to go, whether that comes in the form of convincing the enemy to send their army to another region, as happened in WWII, or in current times, where information is manipulated to influence voters toward a particular candidate. In cybersecurity, as in war, the goal is to give attackers information that leads them to do what defenders want them to do instead of what they are attempting to do.

How Fake News (and Fake Data) Work
There are specific actions that defenders can take to improve their odds of successfully derailing an attack, and the first step is concealment. Hide the data, files, folders, Active Directory (AD), and other assets that attackers are after, making sure that real data is easily viewable and accessible to employees, but not easily visible to an attacker. This is pretty straightforward, in that an employee will use a file manager, while an attacker will use command line or tools like Netcat. This, along with the ability to deny access, can be quite powerful: A cybercriminal cannot encrypt, erase, or steal what they cannot find.

The next step is to strategically place fake data that appears to be real within the network so that as attackers take different actions attempting to access that data, the simulated data can lead them into an environment where defenders can gather information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and other valuable intelligence. By using fake data to trick attackers into tipping their hands, defenders can gather real data that will enable them to craft even more effective deceptions. Because they know more about the people attacking them, defenders can better fortify their defenses in the future.

There are specific steps that defenders can take to protect certain high-value targets as well.

  • Attackers often prioritize AD in the hopes of acquiring admin-level credentials that can accelerate and escalate their movement through the system. Placing a phony AD server and planting fake credentials at the endpoint that answer the attackers' queries with false information and credentials can make the attackers believe they got what they were after — but the second they try to use those credentials, defenders are alerted to their presence.

  • Likewise, if attackers are looking for applications with known vulnerabilities to exploit, feeding them a fake application or web server when they scan the ports in question can derail those efforts. This will again make them think they can exploit those vulnerabilities when, in reality, they have played right into the defender's hands.

Better Denial and Deception Means Better Protection
If you've ever played poker, you've likely engaged in the tactic of misinformation —  that's what a bluff is. A good bluff can force someone into a wrong decision or action because misinformation provides a mistaken impression about what is really going on. If you can convince an opponent to fold their three-of-a-kind or go all-in on a pair of twos, you will likely profit from their bad decisions.

Attackers with the wrong information in the cyber realm make similarly bad decisions. Whether by misleading them into interacting with a fake web server or using a set of decoy credentials, feeding false information to cybercriminals can trick them into giving themselves away before they can do damage. By allowing infosec teams to leverage those mistakes to not only detect and derail attacks but also continue to gather adversary intelligence on the attacker, fake data can help turn the battlefield in the defender's favor.

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.