Deception for protection
- By Stephanie Kanowitz
- Oct 14, 2016
As organizations move away from perimeter defense and toward post-breach detection, deception is gaining popularity as a successful defensive tool, according to a new report. Deception strategy uses decoys, traps, lures and other methods to “cause confusion, waste the attackers’ time and deflect the attack by sending them down the wrong path,” according to the report, “Applying Deception Mechanisms for Detecting Sophisticated Cyber Attacks,” from TopSpin Security.
In other words, deception helps organizations better control and protect the network by setting it up in misleading ways. This increases their ability not only to keep attackers away from real data, but also to identify an attack in progress because administrators can receive alerts when access is attempted on the fakes. Deception traps include:
- Decoys, which are fake workstations, laptops, routers, switches, mobile and Internet of Things devices as well as the connections among them. Legitimate users have no reason to access decoys so contact is an immediate sign of an intrusion.
- Mini-traps, also known as breadcrumbs, which are intended to lead attackers off the trail. For instance, as intruders look for indicators of valuable information, such as credentials, that could help them access assets, the mini-traps steer them toward other deception mechanisms. Mini-traps can be files, documents, emails and system resources.
- Beacon traps, which are based on the beacons that are built into data and send a signal to a server every time the data is used. When a beacon trap is opened, it alerts the server.
- “Poisoned data,” or incorrect information that attackers will likely use, such as usernames and passwords, to attempt an intrusion. When they use it, system administrators are alerted.
For its study, TopSpin -- a firm that provides integrated deception and detection solutions -- set up environments with its DECOYnet deception solution and issued a “capture the flag” challenge. Participants received access to one asset as a starting point and then had to reach the objective by collecting five hints on other assets in the mock environment.
Fifty-two information security professionals participated and spent an average of six to seven hours each trying to solve the task. The challenge ran for more than a month, and the environment was tested against several dozen malware types.
The traps triggered most often by humans were in documents (77 percent), credentials (45 percent) and email (36 percent), while malware triggered application traps (88 percent), beacon traps (25 percent) and document traps (13 percent).
One of the most effective traps involved fake passwords and credentials. For instance, every password that was found was used an average of two and a half times by the attackers who were taking advantage of the fact that users tend to use the same credentials for several resources, the report states.
Good decoys were also effective, with sophisticated hackers spending significant time on a small number of decoy services, indicating that they had a tough time differentiating the decoys from the real assets, according to the report.
“By leading the attacker to spend (his or her) valuable time and efforts on fake assets, the deception layer was successful in both slowing the attack and diverting it from real assets,” the report states.
The best way to use deception, the study shows, is to have a variety of deception trap, because different traps lured different attackers. Sixty-six percent of the attackers were attracted to and detected by decoys, while the rest fell prey to other deception approaches such as data and beacon traps.
“All attacks were detected long before any data could be exfiltrated,” the study shows. “Deception serves to increase the attacker’s knowledge gap, rendering much of the attacker’s per-attack intel irrelevant and providing defenders with a proactive, offensive tool with which to deflect the attack from real organizational assets.”
Read the full report here.
Stephanie Kanowitz is a freelance writer based in northern Virginia.