Deception technology has garnered a lot of attention in the past couple years as an important cyber innovation, but exactly what is it, and is it practical? As we’ll see, deception is not only practical – it is a strategic cornerstone to deal with the “advanced” or “persistent” types of cyberattacks in which attackers use sophisticated techniques to get past traditional security controls and monitoring.
Deception – a long tradition
Back in 216 B.C. in the Battle of Cannae, Hannibal’s 50,000 troops were outnumbered by an 80,000-soldier Roman army. To gain the upper hand, Hannibal deployed his troops in a long thin line that bowed out at the center, but looked perfectly straight to the Romans. When they hit the center of the line, Hannibal’s forces on the outside edge stayed put. As the Romans pushed the line out, the ends of Hannibal’s lines wrapped around Rome’s. Boxed in on three sides, the Roman army was crushed by cavalry attacking from the rear.
This one example of how warriors have long used creative forms of trickery and deception in physical combat –particularly to shift the advantage in an asymmetrical situation. Devising effective deceptions is a creative process that starts with a clear understanding of how one’s opponents operate.
Cyber deception applies this concept to the digital realm. There are obvious parallels. Today’s cybersecurity teams find themselves in an asymmetrical faceoff with attackers. They know that attempts to “wall off” attackers (through perimeter defense and other types of controls) are only partially effective, and that new approaches are needed to defend critical assets when attackers do break in.
Many people associate “deception” with “honeypots”, but deception has evolved significantly over the past two decades.
A look at how cyber opponents operate
To explain where deception technology stands today, let’s first look at the nature of a targeted attack. Think of a bank, for example, being targeted for some form of account manipulation. It starts with a phishing campaign, which results in an employee downloading a malicious PDF. The attacker is now inside the network, situated on that employee’s endpoint. The intruder now has a endgame in mind, but is not sure where the target is or how to get to it.
The attacker’s situation is like trying to find your way in a dark house you've never been in before—with only a small flashlight. With limited range of vision, the attacker looks around to see what can be exploited, gathering information and plotting a course one step at a time, methodically moving from one system to another to inch toward the destination. This is very complex and can take several months—and it’s a process that naturally involves significant trial and error.
Today’s deception techniques
The various deception technologies work somewhat differently. In the case of Illusive Networks, we magnify and exploit the challenges the attacker faces in trying to move closer to their target once they’ve landed on an endpoint.
To move forward, the attacker needs to know how machines are connected, and needs valid user credentials that will permit access to additional machines. We infuse the environment with fake information, which then resides alongside authentic information in the environment to alter the attacker’s view of reality. For instance, if an attacker lands on an endpoint that provides access to see three actual corporate file shares, the attacker might see 10. The attacker has to choose which ones to try to open. It’s a game of odds. Soon the attacker will act upon a deception, and an alert is triggered. Forensic data is gathered from the compromised system so that incident responders can make quick decisions.
With a deception strategy focused on detecting these lateral movements, attackers are caught early in the process—well before they can reach their end goal.
Who uses this technology?
Security leaders in organizations large and small should be giving these products serious consideration. Reaping the benefits no longer requires an exceptionally mature cybersecurity infrastructure or highly skilled developers and analysts.
Although deploying and maintaining effective deceptions on thousands or tens of thousands of endpoints is not a trivial matter, Illusive’s intelligence-driven deception automation carries the burden—not the customer’s security team. Being agentless, it’s non-intrusive, easy to deploy, and doesn’t add to the headache of managing large endpoint environments.
Value across the incident-handling cycle
So quite easily, deception can immediately empower teams of all skill levels to:
Improve detection of attacker presence
Identify their location in relation to critical systems
Accelerate forensic data collection and analysis
Remove risk factors in the environment that, if not corrected, can accelerate the ability of an attacker to move freely in the network
This can fill a serious advanced attacker detection gap for very large financial institutions or other organizations with advanced SOC capabilities. But for less mature organizations, deception can quickly bolster protection while other foundational components are being strengthened.
Keeping the business ahead of advanced attackers
Today’s CISOs are challenged to support exceptionally dynamic business environments. The break-neck pace of M&A, digital transformation and smart device adoption in many industries, and growing dependence on third-party data-sharing are just some of the business trends that increase security gaps faster than yesterday’s cyber strategies can keep up with. Deception provides nimble, proactive defense against advanced attackers and advanced persistent threats (APTs) that are continuously “at the ready” to get in through the cracks.