Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/3/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Fake Data and Fake Information: A Treasure Trove for Defenders

Cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways.

No one wants to believe that fake data can influence them, but evidence of its impact is all around us. Studies have shown that fake news can influence how we vote, what we buy, who we support, and what we do. This can transpire through dedicated misinformation campaigns, deceptively edited videos, and the use of technologies like social media bots and deepfakes, which make it difficult to decipher what is real from what is fake.

Related Content:

The Fatal Flaw in Data Security

Special Report: Computing's New Normal, a Dark Reading Perspective

However, while the impact that fake information can have is often concerning, it can also be a tool used for good. Today's cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways. 

Attackers Want Data, So Why Not Give It to Them?
Attackers don't inherently know the details of a network or have the privileges they need to steal or encrypt information. Conventional wisdom says to do everything possible to deny an attacker access to any data, but cyberattackers are persistent and will keep coming back until they gain the data they seek. Today's cybersecurity professionals are increasingly employing a new strategy, which includes the hiding of real information and the sending of false information designed to get attackers to reveal their attack secrets, disclose their presence, and control their paths away from critical assets and into the trap of a decoy.

By allowing attackers and their automated tools to believe they are getting what they are after, defenders can lead attackers into a deception server that appears to contain the database, web server, application, or other assets that the adversary was looking for. Because they have been fooled into believing that they have found the info they need, they will continue forward in their "attack," revealing valuable intelligence to the security team on their attack tactics and intent.

It is fun to muse on how this sort of trickery is turning the attacker's beloved tactics of deception against them. Attackers use false information all the time, like spoofing an email address or including a malicious link in a phishing email. Instead of tricking users into giving up their credentials, defenders can now trick attackers into believing they have acquired the real credentials, admin accounts, and other secrets that they need to advance their attacks. In cybersecurity, this turnabout is undoubtedly fair play.

Spies and double agents have kept their enemies off-guard for hundreds of years. At its core, deception shapes the actions of people in the direction you want them to go, whether that comes in the form of convincing the enemy to send their army to another region, as happened in WWII, or in current times, where information is manipulated to influence voters toward a particular candidate. In cybersecurity, as in war, the goal is to give attackers information that leads them to do what defenders want them to do instead of what they are attempting to do.

How Fake News (and Fake Data) Work
There are specific actions that defenders can take to improve their odds of successfully derailing an attack, and the first step is concealment. Hide the data, files, folders, Active Directory (AD), and other assets that attackers are after, making sure that real data is easily viewable and accessible to employees, but not easily visible to an attacker. This is pretty straightforward, in that an employee will use a file manager, while an attacker will use command line or tools like Netcat. This, along with the ability to deny access, can be quite powerful: A cybercriminal cannot encrypt, erase, or steal what they cannot find.

The next step is to strategically place fake data that appears to be real within the network so that as attackers take different actions attempting to access that data, the simulated data can lead them into an environment where defenders can gather information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and other valuable intelligence. By using fake data to trick attackers into tipping their hands, defenders can gather real data that will enable them to craft even more effective deceptions. Because they know more about the people attacking them, defenders can better fortify their defenses in the future.

There are specific steps that defenders can take to protect certain high-value targets as well.

  • Attackers often prioritize AD in the hopes of acquiring admin-level credentials that can accelerate and escalate their movement through the system. Placing a phony AD server and planting fake credentials at the endpoint that answer the attackers' queries with false information and credentials can make the attackers believe they got what they were after — but the second they try to use those credentials, defenders are alerted to their presence.

  • Likewise, if attackers are looking for applications with known vulnerabilities to exploit, feeding them a fake application or web server when they scan the ports in question can derail those efforts. This will again make them think they can exploit those vulnerabilities when, in reality, they have played right into the defender's hands.

Better Denial and Deception Means Better Protection
If you've ever played poker, you've likely engaged in the tactic of misinformation —  that's what a bluff is. A good bluff can force someone into a wrong decision or action because misinformation provides a mistaken impression about what is really going on. If you can convince an opponent to fold their three-of-a-kind or go all-in on a pair of twos, you will likely profit from their bad decisions.

Attackers with the wrong information in the cyber realm make similarly bad decisions. Whether by misleading them into interacting with a fake web server or using a set of decoy credentials, feeding false information to cybercriminals can trick them into giving themselves away before they can do damage. By allowing infosec teams to leverage those mistakes to not only detect and derail attacks but also continue to gather adversary intelligence on the attacker, fake data can help turn the battlefield in the defender's favor.

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1303
PUBLISHED: 2021-01-20
A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by...
CVE-2021-1304
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1305
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1312
PUBLISHED: 2021-01-20
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters f...
CVE-2021-1349
PUBLISHED: 2021-01-20
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interf...