7 Tips for Effective Deception
The right decoys can frustrate attackers and help detect threats more quickly.
June 25, 2020
The growing ability of attackers to breach even well-defended enterprise networks has led to increased interest in deception technologies and tactics in recent years.
Deception tools basically use misdirection, false responses, and other tricks to lure attackers away from legitimate targets and point them to honeypots and other decoy systems designed to trap or distract them from their missions. Deception tools — many of which leverage artificial intelligence (AI) and machine learning (ML) — can help organizations detect intrusions early and provide them with an opportunity to observe an attacker's tools and tactics.
In a recent report, Mordor Intelligence estimated demand for deception tools would hit around $2.5 billion in 2025, from just under $1.2 billion in 2019. Much of the demand will come from within the government sector and from global financial institutions and other targets of frequent cyberattacks, according to the analyst firm.
Deception is an interesting concept, says Tony Cole, CTO of Attivo Networks, "and has been around in various forms for millennia."
"Deception can work on almost any place in an enterprise where potential compromises can take place," he says, adding it is especially useful where endpoint protection and endpoint detection and response tools may have gaps in protection. "For instance, when an endpoint is comprised and the adversary uses it to query Active Directory, you can provide false information back to the adversary without ever impacting the production environment."
Rick Moy, chief marketing officer at Acalvio, points to three main use cases for deception: to add an additional layer of protection in mission-critical environments, to shore up detection capabilities in areas with known security weaknesses, and to lure out adversaries hiding in a sea of security information and event management (SIEM) alerts.
"Deploying attractive lures and decoys amid the various network segments works much like the proverbial cheese or peanut butter in a mousetrap that's strategically placed along the kitchen baseboards," Moy says.
Here, according to Moy and others, are seven best practices for using deception to detect threats quickly.
The best deception decoys are the ones that most closely mimic real production assets, says Roger Grimes, data driven defense evangelist at KnowBe4. Attackers can spot a deception device if it is very different from other systems, so the key is to make it appear like another production system. "An attacker cannot tell the difference between a production asset used in production and a production asset that exists solely as a deception honeypot," Grimes says.
Your decoy could be a system you are planning to deprovision because it is old, or it could be a new server or device like others in the environment. Make sure to use the same names -- and put them in the same places -- with all the same services and defenses as your real production systems, Grimes advises.
The key is to blend in, Acalvio's Moy says. Avoid telltale signs such as generic MAC addresses, common operating system patch levels, and system names that don't fit with the prevailing conventions on that network.
Threat actors hate deception because they know it can lead them down rabbit holes they are not aware are rabbit holes. Advanced deception can throw attackers off of their intrusion campaigns and distract them for hours, days, and sometimes even weeks, says Jeremy Brown, principal consultant at the Crypsis Group.
"One technique is to stand up either virtual or physical servers that appear to house important information in the environment," he says. For example, a decoy domain controller running a real operating system, such as Windows Server 2016, would be a very attractive target to the threat actor. That's because domain controllers house Active Directory, which, in turn, houses all the permissions and access-control lists for users in the environment.
Similarly, another way to attract attacker attention is to create real admin accounts that aren't actively used in the environment. Threat actors tend to look for accounts that give them elevated privileges, such as system admin, local admin, or domain admin. "If this sort of activity in the account is seen, that's a tip-off that someone is in the network that should not be," Brown says.
When deploying decoys on your network, don't forget to emulate nontraditional endpoints, says Tim Roddy, VP of products at Fidelis. Attackers are increasingly looking for and exploiting vulnerabilities in Internet of Things (IoT) devices and other Internet-connected non-PC devices. So make sure to have decoys on your network that look like security cameras, printers, copiers, motion detectors, smart locks, and other Internet-connected devices that might attract the attention of an attacker, Roddy says.
Your decoys need to blend into your network with the same type of devices that an attacker might expect to see. These days that includes IoT as well.
When deploying decoy systems and other lures, consider what your worst adversary would be going after on your network. "Use that thinking to develop a prioritized list of detection objectives that compensate for the gaps in your defenses," Acalvio's Moy says.
Consider the types of steps an attacker would likely need to make to reach their objective, too. Lay out a trail of breadcrumbs along the route that lead to specific decoys that are relevant to what the adversary might be after. For example, if the attacker's target is credentials, make sure to employ fake credentials and other Active-Directory-based deceptions as part of your strategy, Moy says.
Intruders who break into an employee PC often go to the registry and browser history to see where that user goes to find internal servers, printers, and other devices. "A breadcrumb is the address of the decoy that emulates one of those devices," Fidelis' Roddy says.
A good practice is to put the addresses of those decoys on end-user devices. If a device gets compromised, an attacker will likely follow the breadcrumb to the decoy, thereby alerting the administrator that an intrusion has occurred, Roddy says.
Don't get tempted into using just honeypots and other deception tactics to try and track or determine hacker behavior. Usually, that's just a lot of work for very little payoff, says KnowBe4's Grimes. It's much better instead to use deception as an early warning system for detecting intrusions and to leave the tracking and monitoring to your forensic tools.
"You want to set up constant monitoring and spend time ruling out normal production connections that every asset on the network gets," such as those related to patches and antivirus updates, Grimes says. Hackers don't know what is fake or real in the environment. They will connect to a fake deception asset that looks like a production asset just as readily as any other real production asset.
"When a honeypot gets an unexpected connection, by definition that is potentially malicious," Grimes says. "Don't let a honeypot alert end up in the SIEM and not get immediately investigated."
"Staleness is the enemy of any strategy," Acalvio's Moy says. To be really good at deception, keep refreshing it to keep up with changes in user activity, application footprints, and even exposures on your network. "For example, new vulnerabilities may not be patchable but can be protected quickly using deception," he says.
Use deception to strengthen detection capabilities in areas that have known security weaknesses. These may include remote workers laptops that are difficult to secure or patch, VPN gateway networks, partner or contractor networks, and credentials.
"Staleness is the enemy of any strategy," Acalvio's Moy says. To be really good at deception, keep refreshing it to keep up with changes in user activity, application footprints, and even exposures on your network. "For example, new vulnerabilities may not be patchable but can be protected quickly using deception," he says.
Use deception to strengthen detection capabilities in areas that have known security weaknesses. These may include remote workers laptops that are difficult to secure or patch, VPN gateway networks, partner or contractor networks, and credentials.
The growing ability of attackers to breach even well-defended enterprise networks has led to increased interest in deception technologies and tactics in recent years.
Deception tools basically use misdirection, false responses, and other tricks to lure attackers away from legitimate targets and point them to honeypots and other decoy systems designed to trap or distract them from their missions. Deception tools — many of which leverage artificial intelligence (AI) and machine learning (ML) — can help organizations detect intrusions early and provide them with an opportunity to observe an attacker's tools and tactics.
In a recent report, Mordor Intelligence estimated demand for deception tools would hit around $2.5 billion in 2025, from just under $1.2 billion in 2019. Much of the demand will come from within the government sector and from global financial institutions and other targets of frequent cyberattacks, according to the analyst firm.
Deception is an interesting concept, says Tony Cole, CTO of Attivo Networks, "and has been around in various forms for millennia."
"Deception can work on almost any place in an enterprise where potential compromises can take place," he says, adding it is especially useful where endpoint protection and endpoint detection and response tools may have gaps in protection. "For instance, when an endpoint is comprised and the adversary uses it to query Active Directory, you can provide false information back to the adversary without ever impacting the production environment."
Rick Moy, chief marketing officer at Acalvio, points to three main use cases for deception: to add an additional layer of protection in mission-critical environments, to shore up detection capabilities in areas with known security weaknesses, and to lure out adversaries hiding in a sea of security information and event management (SIEM) alerts.
"Deploying attractive lures and decoys amid the various network segments works much like the proverbial cheese or peanut butter in a mousetrap that's strategically placed along the kitchen baseboards," Moy says.
Here, according to Moy and others, are seven best practices for using deception to detect threats quickly.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024