Using deception technologies to thwart attacks and reveal targets
- By Doron Kolton
- Jan 27, 2017
It is generally accepted that cyber attackers have the advantage when they decide to invade an organization. They have to succeed only once, while the defenders must block 100 percent of the attacks to succeed in their role. Yet there is one critical advantage defenders have over attackers: their knowledge about their organization and environment, knowing what the crown jewels of the organization are and where they reside.
When attackers infect an organization (and there is no way today to prevent it), they start collecting data about the networks, the assets, the location of the valuable information, applications being used, credentials, vulnerabilities and more. This is where IT security teams can interfere with and disrupt the attackers’ activities, and ultimately defend against these cyber criminals.
Take back control
The Department of Homeland Security defines Moving Target Defense as "the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts." There are many different approaches for implementing MTD, including dynamic runtime platforms, dynamic application code and data, dynamic deception as well as control-flow enforcement technology by companies such as Intel and Microsoft.
Emerging in the industry is the use of deception, taking advantage of its different components as an MTD system to interfere with the activities of attackers. Deception -- the use of decoys (false assets endpoints, servers, IoT devices, etc.) and breadcrumbs (false data that is planted on real assets and points to decoys) to lure and trap attackers -- is a proven post-breach detection technology. Adding MTD capabilities to deception allows defenders to use it as a powerful prevention technology as well.
Using MTD as part of a deception strategy, organizations present attackers with an obfuscated, complex environment in multiple dimensions (network, applications, data) that is constantly changing and leaves the attackers in a state of uncertainty. The combination of deception and MTD leaves attackers wondering:
- Is the information collected from the organization true or false?
- Is the visible structure and layout of the network real or not?
- Which systems are real, which are fake and which hold a trap?
- Is the information being collected genuine?
- Will the credentials that were collected work when used?
- Are the apparent vulnerabilities found true at all?
Using intelligent deception, IT security teams can build an intricate web of decoys and breadcrumbs that match the networks, assets, applications and operations in the organization, based on continual analysis of the traffic in the organization. These decoys and breadcrumbs are constantly changing the services, the IP addresses, the ports being used and more.
Adaptive, dynamic defenses
In addition to widening the attacker’s knowledge gap, as shown above, deception serves to detect what the attackers are looking for and ultimately identify the cyber criminals and stop the attack
Intelligent deception solutions add traffic analysis capabilities on top of the decoys and breadcrumbs deception layer. Analyzing the traffic in the organization allows initial sensing of the ports and applications the attackers are searching to infiltrate. The deception can automatically adapt itself by opening the relevant ports and spawning decoy systems and applications. This “opens the door” for attackers to find what they are looking for and further invest time exploring it. The same logic can be applied to any communication channel that does not conform with the policy of the organization (such as connecting to blocked domains), and these connections can be redirected to the decoy systems.
Some of the advantages of using MTD in a deception approach include:
- Ease of deployment: The right deception tools can be implemented easily based on automatic identification of the organization resources (networks, assets, application).
- Scalability: Deception done correctly is scalable and is not confined to specific limitations.
- No endpoint overhead: Intelligent deception does not introduce another agent running on the endpoint.
Deception as a MTD technology offers new benefits to security teams. The dynamic and adaptive nature of new intelligent deception technologies makes it hard for attackers to outsmart defense mechanisms. They confuse attackers, force them to waste their efforts on fake assets and reveal themselves in the process.
Doron Kolton is founder and CEO of TopSpin Security.