No one wants to believe that fake data can influence them, but evidence of its impact is all around us. Studies have shown that fake news can influence how we vote, what we buy, who we support, and what we do. This can transpire through dedicated misinformation campaigns, deceptively edited videos, and the use of technologies like social media bots and deepfakes, which make it difficult to decipher what is real from what is fake.
However, while the impact that fake information can have is often concerning, it can also be a tool used for good. Today's cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways.
Attackers Want Data, So Why Not Give It to Them?
Attackers don't inherently know the details of a network or have the privileges they need to steal or encrypt information. Conventional wisdom says to do everything possible to deny an attacker access to any data, but cyberattackers are persistent and will keep coming back until they gain the data they seek. Today's cybersecurity professionals are increasingly employing a new strategy, which includes the hiding of real information and the sending of false information designed to get attackers to reveal their attack secrets, disclose their presence, and control their paths away from critical assets and into the trap of a decoy.
By allowing attackers and their automated tools to believe they are getting what they are after, defenders can lead attackers into a deception server that appears to contain the database, web server, application, or other assets that the adversary was looking for. Because they have been fooled into believing that they have found the info they need, they will continue forward in their "attack," revealing valuable intelligence to the security team on their attack tactics and intent.
It is fun to muse on how this sort of trickery is turning the attacker's beloved tactics of deception against them. Attackers use false information all the time, like spoofing an email address or including a malicious link in a phishing email. Instead of tricking users into giving up their credentials, defenders can now trick attackers into believing they have acquired the real credentials, admin accounts, and other secrets that they need to advance their attacks. In cybersecurity, this turnabout is undoubtedly fair play.
Spies and double agents have kept their enemies off-guard for hundreds of years. At its core, deception shapes the actions of people in the direction you want them to go, whether that comes in the form of convincing the enemy to send their army to another region, as happened in WWII, or in current times, where information is manipulated to influence voters toward a particular candidate. In cybersecurity, as in war, the goal is to give attackers information that leads them to do what defenders want them to do instead of what they are attempting to do.
How Fake News (and Fake Data) Work
There are specific actions that defenders can take to improve their odds of successfully derailing an attack, and the first step is concealment. Hide the data, files, folders, Active Directory (AD), and other assets that attackers are after, making sure that real data is easily viewable and accessible to employees, but not easily visible to an attacker. This is pretty straightforward, in that an employee will use a file manager, while an attacker will use command line or tools like Netcat. This, along with the ability to deny access, can be quite powerful: A cybercriminal cannot encrypt, erase, or steal what they cannot find.
The next step is to strategically place fake data that appears to be real within the network so that as attackers take different actions attempting to access that data, the simulated data can lead them into an environment where defenders can gather information on tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and other valuable intelligence. By using fake data to trick attackers into tipping their hands, defenders can gather real data that will enable them to craft even more effective deceptions. Because they know more about the people attacking them, defenders can better fortify their defenses in the future.
There are specific steps that defenders can take to protect certain high-value targets as well.
- Attackers often prioritize AD in the hopes of acquiring admin-level credentials that can accelerate and escalate their movement through the system. Placing a phony AD server and planting fake credentials at the endpoint that answer the attackers' queries with false information and credentials can make the attackers believe they got what they were after — but the second they try to use those credentials, defenders are alerted to their presence.
- Likewise, if attackers are looking for applications with known vulnerabilities to exploit, feeding them a fake application or web server when they scan the ports in question can derail those efforts. This will again make them think they can exploit those vulnerabilities when, in reality, they have played right into the defender's hands.
Better Denial and Deception Means Better Protection
If you've ever played poker, you've likely engaged in the tactic of misinformation — that's what a bluff is. A good bluff can force someone into a wrong decision or action because misinformation provides a mistaken impression about what is really going on. If you can convince an opponent to fold their three-of-a-kind or go all-in on a pair of twos, you will likely profit from their bad decisions.
Attackers with the wrong information in the cyber realm make similarly bad decisions. Whether by misleading them into interacting with a fake web server or using a set of decoy credentials, feeding false information to cybercriminals can trick them into giving themselves away before they can do damage. By allowing infosec teams to leverage those mistakes to not only detect and derail attacks but also continue to gather adversary intelligence on the attacker, fake data can help turn the battlefield in the defender's favor.