Deception - Misunderstood Realities
Deception has been all the hype in the security circles recently. Of all the things that our Vendor community's marketing engine generates, this has to be one at the top of the list competing with 'AI'. Most vendors will tell you that Deception will absolutely detect malicious activity and threat actors in your network. Some even tout it as an advanced cyber threat protection tool. Well, while there is an element of truth at some level, but in reality, all the smoke and mirrors aside, does deception really help? If yes, how?
Me and my good friend Richard Moore were engaging cyber executives of a large multinational pharmaceutical company, when this question came up. "We are thinking of deploying deception tool", said the executive in charge. Rich got his ears perked up and asked "That's wonderful. What is your deception strategy? ". The question evoked usual responses we hear all the time viz., oh we will acquire tool "X", and deploy it in our internal network, and create some honeypots etc., The reason I bring this up? Well, most organizations and their technology leaders, including cyber leadership is unaware that deception is a strategy, not a tool. In a commercial marketing driven world "Buy X, Solve Y" approach, it is easy to understand why this is the case.
Deception is a strategy. Not a tool.
Deception as a tactic is not new. Throughout history, there have been umpteen instances of Deception being used in war and politics from time unknown. I'll not narrate all those instances here, but I definitely would highlight the key takeaway - it has always been "a strategy" rather, part of a mature warfare strategy to secure an upper hand over the opponent. In the case of cyber, potential attacker. So, it goes without saying, it will not stop attackers, it will not prevent them nor will it eradicate them - as claimed by most of them. It however is a good tripwire, which is pretty much passive, until someone trips on it. On the same note, I have seen organizations that deploy expensive Deception tools, most of the time, lack the capability to follow through, understand and/or analyze any of the alerts that the deception tool might trigger. Moreover, an improperly configured deception tool may generate more noise that soon outlives its utility value.
Deception is a strategy, not just another tool. So what would that strategy be? Deception as a strategy is deployed to lure an attacker and slow down his attack path, while the defense team can map out the attacker's toolset(s), intentions, C2 infrastructure, data ex-filtration methods and destinations where applicable. So, by definition an organization needs a good understanding of what would be of value within the organization for an attacker, what assets are in play, how does their public footprint look (OSINT/passive recon will help here).
Deception strategy should involve using an attacker's knowledge of the organization against him
In most organizations, the CEO,CFO, marketing and sales folks are the ones whose profiles stand out and are highly visible. Job portals have job descriptions that reveal the technology stack in use also reveal a lot of useful information to attacker. An attacker maps out these data points (Doxing), before attempting to gain access to an organization's network. When an attacker lands on the network, mostly through phishing or any other method, they set out looking for anything that looks close to what they are already is aware of. Attackers are always looking for path of least resistance, scanning for opportunities to steal data, elevate privileges, gain admin/domain admin tokens, compromise databases and so on. So, deception strategy should involve using an attacker's knowledge of the organization against them.
A carefully laid out deception strategy should lure the attacker into using dummy tokens, steal dummy data/database(s), on a unused/fake network that looks legit and doesn't contain any useful information. Strategy should involve creating infrastructure like servers with legit looking user accounts, create legit looking user activity, browser history, command history, frequently used documents, mapped drives with enticing documents, stale connections to production like databases, fake services that offer up process injections, credential theft, file shares, stored ssh connections, stored SFTP connections etc., you get the idea.
The board does not have cyber expertise, and hence often heads down the path of "more is better" leading to bad cyber decisions.
This strategy helps lure attackers early on in the attack chain and keeps them busy stealing useless information and compromising systems that have zero value to the organization, but of seeming importance to the attacker - revealing his tools, tactics, techniques, ex-filtration methods, storage locations and C2 infrastructure to an attentive cyber analyst. Good and extensive micro level planning is needed to ensure the attacker doesn't get tipped off.
Once the Analyst(s) learn everything about the attacker, then its time to cut the cord and move into Incident Response.
Defense-in-depth is not dead. It is very much alive and more relevant than it ever was before. Deception Strategy is one of the layers of defense-in-depth and should be viewed as such.
CISO/CIOs often feel pressured into buying "BIG BRAND" products, thanks to an adage - "nobody got fired for buying BIG BRAND"
Today's Board is actively informed about cyber threats and the state of cyber security in an organization. This is good, but unfortunately, often Board does not possess cyber expertise, hence often heads down the path of "more is better". CISO/CIOs often feel pressured into buying "<BIG BRAND>" products, thanks to an adage "nobody got fired for buying <BIG BRAND>", without much forethought, scarily many times, without much afterthought either.
In reality, this is translating into a next-gen version of what we used to hear a decade ago "We have firewalls and AV, we are secure".