Deception has been part and parcel of warfare, politics and business for eons, so perhaps it's not surprising that deception has become a big part of the 21st century cybersecurity battle.
"Successful war follows the path of deception," Sun Tsu wrote in "The Art of War," and cybercriminals have certainly taken that advice to heart. From Nigerian bank transfer cons to elaborate phishing scams, and from CEO fraud to spearphishing campaigns, the bad guys have been quick to follow Sun Tsu's philosophy of deception.
Now a new generation of security startups is using deception techniques as a way to confuse and befuddle attackers – and they're quoting Sun Tsu to tout their deception technology.
"According to Sun Tzu, if an enemy has an incorrect view of the battlefield, they can be manipulated into manageable situations," said Rick Moy, CMO of Acalvio. "This also applies in cybersecurity. If an attacker is spending time and energy breaking into a faux server, the defender is not only protecting valuable assets, but also learning about [the attacker's] objectives, tools, tactics and procedures."
That one example lays out the basic premise behind deception tools and technologies. It follows Sun Tzu's advice: "When your enemy seeks an advantage, lure him further."
"The idea is to mask real high-value assets in a sea of fake attack surfaces," said Ori Bach, VP of products and marketing at TrapX Security. "By doing so, attackers are disoriented."
The message may be catching on. Deception technology fared best among emerging technologies in eSecurity Planet's 2019 State of IT Security survey.
What is deception technology?
Gartner analyst Lawrence Pingree laid out the technology in detail in a report titled, "Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities."
Attackers, Pingree said, must "trust" the environment that they insert their malware into, or the web applications and services they attack over the internet. They sneak around the fringes of the enterprise, seeking a way inside. They might trick a user into clicking on a malicious link, opening an infected attachment, or providing credentials and passwords. Once inside, they feel free to roam as they please to steal confidential information or pull off a financial heist.
"Deception exploits their trust and tempts the attacker toward alarms," said Pingree. "Deception also can be used to move an attacker away from sensitive assets and focus their efforts on fake assets – burning their time and the attacker's investment."
How deception technology works
As a case in point, imagine the ancient city of Troy behind its walls. The Greeks pretend to retreat and leave a large horse by the gates. The Trojans take it inside. Inside the horse, the Greeks hear the Trojans partying and eventually falling into a drunken stupor. They cautiously exit the horse, intent on killing the guards and opening the gates to let their army inside. Instead, they find themselves inside a well-guarded compound. They are taken captive. The Trojans then open the gates briefly to temp the Greek army to advance. When they do so, the gates are locked and arrows rain down on the exposed enemy. Result: a completely different version of Homer's "The Iliad." Such a victory over a covert attacker is one of the goals of deception tools.
"Distributed deception platforms (DDP) are solutions that create faked systems (often real operating systems, but used as sacrificial machines), lures (such as fake drive maps and browser histories) and honeytokens (fake credentials) on real end-user systems to entice and mislead the attacker to faked assets in order to enhance detection and to delay their actions as they attack those decoy assets," wrote Pingree.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Core functions of such systems, he added, include: Centralized management of real-user endpoint lures and decoy endpoint hosts (servers and workstation hosts); the ability to manage deceptive services, web applications and other network integration capabilities of decoys; the ability to administer endpoint lures and honeytokens to entice the attacker; and the ability to administer and distribute deceptive data (Word documents, database tables/entries and files) in decoy host deceptions.
Bach noted that positive results depend on being able to deploy credible deceptive elements on endpoints, network or application layers in sufficient scale to catch all potential intrusions. As such, various tactics are in play. TrapX Security breaks down the different deceptive elements into categories based on where they are deployed. Lures are placed on endpoints to attract the attention of would-be attackers. What the company calls "medium interaction decoys" are those located on the network layer. "High interaction decoys" are those operating within applications or within stored data to misdirect cybercriminals.
Moy made a similar point. He stressed that deception solutions must go beyond just the deployment of a honeypot. They must be authentic, automated, scalable, and intelligent. Why? Deceptions that are easily identified are no help at all, so authenticity is key. Further, IT security personnel are often too busy to manage deceptions individually, so the system should automatically deploy and manage the right deceptions. This is where intelligence and machine learning come in.
For example, Acalvio ShadowPlex is a DPP that provides early detection of malicious activity. It can be deployed on-premises, or in private clouds and public clouds. It includes integration with SIEM systems.
Deception in depth
Just as the long-term security mantra has been defense in depth, security experts recommend deception in depth: The deployment of these techniques along the entire attack chain. When attackers are conducting reconnaissance of network and enterprise weak points, feed them false information on topography and assets. If they are already inside and figuring out what tools to use, delay their deployment with false information. Trick them into sandboxes and keep them occupied there for long periods.
Users can choose from standalone DDP tools or those that are integrated into enterprise security solutions for detection response. For example, some are combined with orchestration, network access control or intelligence sharing tools.
"Ideally, organizations can use DDP solutions to create 'intimate threat intelligence' and use that to enrich their other tools to enhance prevention at the network and other security defensive layers," said Pingree.
Deception technology vendors and tools
Deception can be implemented to some degree using existing tools, said Pingree. Firewalls are one example. It is possible to configure their blacklists, intrusion prevention and URL filtering capabilities to relay connections from known malicious hosts to network emulation services or deception decoy services. Similarly, some intrusion prevention appliances can implement deceptive measures at the network protocol layer. TCP tarpits, too, can be established to respond to TCP handshake requests but not open the connection. And a few EDR tools allow the security team to implement deception at the malware host layer.
While workable for certain attack vectors, these methods have their limitations. Pingree suggested they should be augmented with DPP tools, which are steadily gaining in maturity and functionality. There are several vendors operating in this space. The list includes:
- Illusive Networks
- Attivo Networks
- TopSpin Security
The TrapX DeceptionGrid platform, for example, protects against malicious insiders and sophisticated cybercriminals. Its multi-tier architecture is said to present the deception attack surfaces that best match attacker activity.
"Since you never know where you might be attacked, the ideal deception strategy should cover as many layers of the network and as many types of assets as possible," said Bach. "For a deception tool to be effective in an enterprise environment, it must be integrated with the infrastructure (e.g. Active Directory, the networking infrastructure) and the security ecosystem."
He's talking about such elements as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platforms (TIP) and Network Access Control (NAC). Take the case of threat intelligence. Data from various threat intelligence feeds could be consolidated within a TIP and used to create deception tactics with far more precision – and therefore, more likelihood of success.
"This threat intelligence data could lead us toward intelligence-led deceptions, where a threat actor that is known to originate from a certain location, or uses a certain pattern of engagement, can be led astray," said Pingree. "This tactic can enable threat management teams to assert more active control of an attacker, its activities throughout the enterprise environment, and allow organizations to track and share even greater intelligence on threat actors."
Among the vendors listed above, there is great variability in approach and scope. Gartner outlined four areas of potential deception coverage: the network, the endpoint, the application and the data. According to the analyst firm, no one vendor comprehensively covers all four sectors, though some do a good job on two or three zones. During the product evaluation phase, emphasis should be placed on DPP tool coverage, as well as integration with existing security platforms.
The future of deception technology
DPP technology, though, has a way to go to enter the mainstream, and for now the market is relatively small. Gartner expects no more than 10% of enterprises will be using it actively by next year. Among the most likely candidates are financial services, healthcare, government and software verticals – a who's who of those who tend to suffer the most attacks.
"Imagine for a moment, that once malware is detected in an end user's environment, the user's systems had the ability to begin to lie to the attacker at the other end of the command-and-control console, or to the malware itself on the infected endpoint, or both; these capabilities are now becoming a reality," said Pingree. "Distributed decoy solutions offer enhanced detection and stronger fidelity than other traditional security solutions because when an attacker touches a decoy, it is immediately recognized as an unwanted interaction, and likely an attacker or insider threat."