How to Deceive Cyber Deceivers 

Since 2014, internal and external cyber-attacks have accelerated and there is evidence that these assailants are penetrating traditional defenses at an increasing rate. Today’s security technologies seek primarily to defend a perimeter, but both firewalls and end-point security cannot defend a perimeter with 100 percent certainty. Additionally, heuristics and logging tools may find an attacker within the network, but often generate so many alerts that critical issues are missed.

It’s obvious by the number of vendors and technologies flooding the market that existing defense-in-depth cyber technologies have struggled against the wave of sophisticated and persistent human attackers.  Cyber-attackers can penetrate these networks and move unimpeded for months, stealing data and intellectual property.

To that end, cybersecurity is an active field with technologies emerging to address security issues in a deeper and more sophisticated way. One that’s moving to the forefront is “deception technology,” which considers and accounts for the human attacker's point of view and methodology for exploiting and navigating networks to identify and exfiltrate data. It creates traps and lures covertly mixed among existing IT resources.

Deception technology is not a new concept. The theory of “honeypots” has been around since the late 90s, when Fred Cohen introduced everyone to the deception toolkit and with the subsequent launch of the Honeynet Project. These early deception techniques sat outside of traditional firewall protection in order to allow attackers to gain access to the exposed honeypot so researchers could learn the tools, tactics and motives of an attacker.  Today’s approach to deception technology has moved from the external to an internal countermeasure, allowing security professionals swamped with the volume and veracity of threat data to quickly zero in on cases of actual ongoing infiltration leveraging the lure being accessed.

Ultimately, deception technology theory operates on three tenants:

• Set the Bait: This consists of deploying emulations that imitate desktops, databases and other infrastructure devices vulnerable to attack. Even bogus IT assets, such as users and files that co-mingle with actual IT assets, can be deployed as lures for internal or external attackers and automated malicious behavior such as viruses and malware.
• Spring the Trap: Anyone, internal or external, that seeks to identify, ping, enter, view or utilize a lure is immediately identified by this behavior. Lures have built-in alerts are produced that are the end product of a binary process giving an immediate advantage over heuristic approaches and the many thousands of extraneous alerts traditional techniques generate.
• Stop the Threat: Once malicious activity is detected, security resources can determine how to deal with threats in the best way, such as blocking the threat and remediating damages, or even observing the threat behavior to collect data that support advanced cyber forensics.

A lure strategy that we’re familiar with applies the concept of “honeypots” to delay and detect a ransomware infection.  Instead of emulating an entire system, it plants millions of fake files throughout a single file share on low powered, commodity hardware.  Any ransomware infection will attempt to change and encrypt those files first while alerts are triggered to the security team based on known CPU and disk thresholds.

Deception technology offers a viable solution that can help security teams regain the upper hand. Often strapped for staff and resources, security teams can employ deception to greatly expand their investigative and analytical capacity, prioritize incidents with greater accuracy and automate mitigation measures – thereby reducing the impact of the time attacks linger on a network and accelerating incident response with greater efficacy.

Eric Schlesinger, chief information security officer of Polaris Alpha, has more than 20 years of experience in infrastructure and operations management.