Machiavelli famously advised “Never attempt to win by force what can be won by deception,” and this is often the mantra of the cybercriminal. The art of deception is by far the most effective weapon in the cyberattacker’s arsenal, posing a greater threat than any single piece of advanced malware or secret software vulnerability, writes Carolyn Crandall, Chief Deception Officer at cybersecurity threat detection product company Attivo Networks.
Whether phishing their victim for credentials or tricking them into downloading malware, criminals depend on their ability to deceive their victims into interacting with them. Cyber deception is exceedingly one-sided, with attackers able to research and plan at their leisure while defenders can only prepare and anticipate an eventual attack. However, with the right technology, an organisation can turn the tables and use a cybercriminal’s own deceptive techniques against them.
Deceiving the deceivers
While offensive cyber deception is usually based around the attacker impersonating a trusted individual, defensive deception involves establishing a convincing false environment. When done correctly, the attacker will waste their time and resources going after a ‘useless’ decoy. In the best-case scenario, the attacker may give up entirely, but even the most tenacious adversaries will still end up operating significantly slower than normal, as well as giving ample warning to the security team about their activities.
While deceptive environments can make an effective additional layer to a defence-in-depth strategy, the true value is in their ability to reveal powerful insights about the threat actor. Every action the attacker takes while navigating the fake environment will expose valuable information about their intentions and attack methods.
By gathering intel on the attacker’s Techniques, Tactics and Procedures (TTPs), the security team will gain a powerful advantage over not only the individual adversary, but any others sharing the same characteristics. The company can than ensure it is able to invest in cyber defences that are able to counter these threats.
Creating an effective decoy can be easier said than done however, and there are a number of challenges that must be met for the tactic to succeed.
Passing the duck test
To work properly, a decoy system needs to at the very least pass the “duck test”. As the popular saying has it, “if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck”. A decoy needs to appear and behave like part of a real network if it is to have any chance of succeeding.
One popular method of achieving this has been to emulate the organisation’s network on one or more virtual machines (VMs). Emulated systems can be particularly effective at diverting malware and automated scanning tools often used by attackers to scope out targets. However, they have limited ability when it comes to a genuine human attacker. Because they are not truly active systems and cannot properly be engaged with, an attacker will quickly see through the emulated environment. This means the attacker will cut their activity short and will not give away much in the way of insight into their TTP. Emulated environments can also be fairly restrictive in terms of configuration and will be likely to stand out from real servers, limiting their effectiveness.
The key to authenticity
There are five key criteria that are essential for a decoy to effectively pass for the real thing:
Interface – The decoy must be able to project the interface that accessing entities would expect, whether they are automated bots or real human adversaries. Network attributes, operating systems, application software and services should all be a perfect match for the real thing.
Performance – The fake must also be able to operate as effectively as the genuine article. If response times are too slow or key services like Active Directory are non-functional, the attacker may get wind that they are interacting with a badly designed decoy.
Content – The accessible information within the decoy must match the expectations of the adversary. In addition to breadcrumb information, configuration and admin data, and data files should also be visible to anything accessing the network.
Access – It may be tempting to create an easily accessible false network with the aim of luring in more would-be attackers. However, access security being too lax can point an attacker towards the decoy’s true nature. Access parameters such as identification, authentication and authorisation should match the real network.
Behaviour – Finally, the behaviour displayed by the decoy during any interaction must meet the expected norms for a genuine network. It should be capable of a high level of interaction and continue the engagement as the attacker inputs new commands and instructions.
If a decoy is able to look, swim, and quack like a duck, prospective hunters on the prowl will very likely take it to be a duck. By creating deceptive servers that both look and behave with a high degree of authenticity, organisations can reverse the status quo on cyber-attackers and trick them into revealing their secrets as they become lost in this flock of deception.
