Deception in Depth. A New Approach

One of my earliest childhood memories is being called to the front at a magic show. The tuxedoed compère was playing with cups and counters and I had to guess under which cup the counter would end up. Everyone knew how this game would play out, except me. I watched him whirl the cups around at speed, easily keeping pace with where I believed the counter to be. When he finally stopped and asked me to identify the cup that covered the counter, I pointed with absolute certainty at the one on the left. My disappointment was palpable as he revealed that the counter was under another cup. I recall to this day a feeling of being hoodwinked. Deceived.

Fast forward more years than I care to name, and while I may not have forgiven the magician in question, I have come to view Deception differently, especially in the context of cyber security. As a perfectly legitimate extension to tried and tested cyber controls, Deception as a discipline offers incredible value to security teams. Allow me to explain.

It is incumbent on all of us in this field to acknowledge one thing; that attackers occasionally get through. Decades of security research and investment have brought many benefits to modern organizations, including the ability to do business within an environment where criminals are using automation and field intelligence to maximum effect. With 111 billion lines of software code generated last year, the attack surfaces are proliferating and it is a testament to the strength of the vendor and customer ecosystem that the vast majority of threats are stopped before they become breaches. However, it is a uniquely twenty-first century pragmatism in cyber security to acknowledge that attackers can and do find ways through in support of their campaigns. It is at this point that Deception becomes critical.

Once a hacker has penetrated a network the game is mostly over. The attacker knows that they have achieved something of huge potential value and will be seeking ways to move laterally to higher value targets within the environment. This will mean he will perform stealth reconnaissance from the compromised endpoint. Now, imagine a mesh of highly convincing yet highly fake clues left on client machines and designed to encourage interaction from threat actors that have successfully penetrated an organization’s defenses.

By gathering information about IP address conventions, naming conventions and other devices of interest on the local segment, the attacker thinks he can start to identify potential systems to jump to. He may look at network shares, cached RDP sessions, browser caches, credentials stored in memory for more clues on identities that could support his campaign or other machines that could allow him to pivot further into the estate and closer to the high value targets.

Traditionally, all these activities would go unnoticed by security solutions and the attacker would fly under the radar with relative impunity, using misdirection tactics like DDOS attacks to distract security teams from the few alerts that he was generating. This way, the road to high value assets would be unhindered, as witnessed by the fact that breaches still take hundreds of days to be discovered, often after the attack has completed. However, with Deception in place while interacting with these pieces of bait, the attacker generates high fidelity alerts, betraying his position and his intent on the network.

Deception has been a legitimate tactic in warfare for thousands of years. The Art of War, quoted so heavily in our industry, puts great emphasis on it. William the Conqueror used ‘feigned retreats’ as a tactic during the Battle of Hastings, and a forged order to retreat ensured the capture of a key strategic enclave during the Crusades. Cyber criminals have been successfully deceiving end users for decades. WannaCry is one of the most recent examples of this.

Deception as a counter-tactic in cyber security offers something unique. High confidence alerts. By laying down a mesh of fake reconnaissance assets, you create something that no legitimate user or system should ever interact with. Concealing Deceptive artefacts from real users minimizes false positives and increases confidence that attempts to interact with these pieces of bait are foul play. By giving incoming alerts from the Deception solution high credibility, SOC teams can action these alerts as a matter of priority, with the understanding that they represent real nefarious activity in the environment.

With this focus on high fidelity alerts received from the Deception infrastructure, security operatives have an advanced detection mechanism that there is an insider threat or a real attacker established on the network. By actioning these alerts, they can quickly identify compromised end points and invoke incident response processes to contain and quarantine the endpoint and understand how the breach occurred in the first place.

Symantec’s industry-leading Endpoint protection solution, SEP14 has integrated Deception capabilities. This means that attackers seeking to compromise an infrastructure and move laterally in pursuit of higher value targets can be encouraged to interact with fake reconnaissance information and reveal his position on the network.

When all else has failed, Deception can deliver.