Businesses in many different sectors build their cyber security systems based on an assumption that contemporary cyber security threats are difficult to spot. Furthermore, they understand that even though it might be possible to assess cyber risks in relation to various company assets, not all vulnerabilities will be discovered in time to completely prevent cyber breaches and protect companies' systems from adversarial impact. Under these circumstances, new developments in cyber defence emerge to help mitigate unknown and not easily discoverable threats. One of such new developments is deception or so-called deception techniques for cyber security. What are deception techniques for cyber security? How costly and how effective are they, when applied against adversaries? We will discuss these questions below.
Deception in Cyber Defence
In many cases, deception techniques are considered to be a form of Active Cyber Defence in cyber security, as these techniques allow businesses to directly interact with adversaries by creating deceptive objects or using deceptive strategies against cyber criminals. Deception cyber defence usually includes decoys, mirror or imitation shielding and other misdirection techniques. Usually a cyber-deception solution includes several deceptive means, tools, and/or practices - all deployed to create a “maze of deception” in order to slow down, deflect or collect forensic evidence to identify stealthy attackers, attribute breaches to them, and even to entrap them.
Deceptive cyber defence techniques contradict a well-accepted view that a cyber security system should primarily concentrate on robustness (building cyber defences to stop hackers getting into the systems) - a defence-in-depth strategy applied by many businesses. In contrast, the argument of cyber deception proponents is that instead of trying to keep the adversaries out by building thicker cyber security "walls" (which, may, in fact, attract stronger, more sophisticated, and better equipped adversaries), the objective of a cyber security system should be to let them in, collect data on them, and make it very hard for them to infiltrate the system. Essentially, deception techniques would make cyber criminal to give up and abandon their original target.
Is Deception A Good Idea?
Whether deception as a cyber defence tool is a good idea is a complex problem. On the one hand, given the complexity of systems and the ever-present vulnerabilities from exploits that your company may not have discovered yet to zero-day and polymorphic code attacks, deception might seem like a better strategy than trying to second-guess potential targets within your systems, put measures in place to prevent attacks, as well as calculate the likely moves of the adversaries. On the other hand, few companies possess the level of maturity (or, in fact, the level of technical expertise as well as reputational freedom) to engage in deception when cyber security is concerned. For example, it would be unimaginable for a large financial institution (a large global bank) to announce that instead of streaming their efforts into not letting adversaries in, they will concentrate on cyber deception. The reputational costs would be very significant. This is why deception techniques are often used as a support mechanism rather than main cyber security strategy tools in many companies (including large banks). In other words, while these companies still concentrate on preventing adversaries from entering the systems, they still use deception techniques as an extra frontier of defence in case adversaries break the first frontier.
There is a lot of cybersecurity deception technology, from "honeypots" (computer or computer systems intended to imitate likely targets of cyberattacks, which are used to detect attacks or redirect them away from a legitimate target); automated traps; and decoys that imitate target systems such as cash machines (ATMs), individual computers of the organizational system, medical devices, internal network switches and routers. Firewalls, zero-trust systems, even end-point security of devices (from mobile cellphones to IoT devices) cannot defend organisational assets with 100% certainty (irrespective of what your cyber security provider tells you, they cannot protect you with 100% certainty). Neither can communications networks and database servers with encryption be completely protected from unauthorised access - i.e., they too may be compromised.
Often, hackers seek to gain the backdoor entry into a corporate network with the typical aim of exploiting and navigating networks to identify and exfiltrate data. Backdoor is a method which implies bypassing normal authentication or encryption in a computer system, a product, an embedded device (e.g., a home router, or its embodiment as part of a crypto system), an algorithm, a chipset, or a “homunculus computer”—a tiny computer-within-a-computer, such as that found in Intel’s AMT technology. Backdoors are often used for securing remote access to a computer or obtaining access to plain- text in cryptographic systems. The concept of a homunculus computer is a system within a system that mirrors what that system does and monitors its function. It is a concept drawn from human neurobiology imitating the brain and the way it functions as representing and processing collections of sensory inputs and output feedback, that are interpreted with the “mind” and its ability to perceive, think, and reason about the external world. Deception technologies are particularly effective against backdoors as they redirect cyber criminals away from valuable targets to "honeypots", which are of no use to the adversaries.
Examples of Deception Technology Solutions and Vendors
Conceptually, deception technologies are part of the Security Information and Event Management (SIEM) tools and methodology, in that they differ from the intrusion detection systems (IDS) but allow automated static and dynamic analysis of injected malware and provide frequent reports through automation to the security operations personnel as well as to the cyber security teams within organisations. Deception technology may also identify, through indicators of compromise (IoC), suspected end-points that are part of the compromise cycle. Automation within SIEM also allows for a streamed memory analysis of the suspect end-point, and then automatically isolates the suspected end-point through deception tools.
Examples of deception technologies vendors include: Rapid7 , Smokescreen, TrapX, Fidelis Cybersecurity, Attivo Networks, Illusive Networks, Aves Netsec, Deceptive Bytes, to name a few. TrapX is is one vendor of deception technology that was effective at deceiving TeslaCrypt, Locky, and 7ev3n ransomware families, known as advanced persistent threats (APTs), luring hackers away from valuable data assets. These deception technologies are able, for example, to engage a ransomware attack with decoy resources, while isolating the infection points and alerting cyber defence teams.
Fidelis Cybersecurity was another example of a deception technology vendor made public by First Midwest Bank, a financial institution that used this technology to set up decoy solutions to identify patterns of anomalies in their networks and end-points. This is particularly relevant when operating in a highly regulated industry: the bank is subject to the Federal Financial Institution Examination Council’s uniform principles and standards for financial institutions and its processes are periodically tested for compliance with a litany of laws and regulations.
The Kill Chain Concept
Deception technologies are also often based around a set of strategies that were developed in 2011 by Lockheed Martin’s kill chain framework in order to categorise different phases of a cyberattack, which are described in the framework as Adversary Campaigns and Intrusion Kill Chains. The framework includes the following steps: (1) Reconnaissance, (2) Weaponization, (3) Delivery, (4) Exploitation, (5) Installation, (6) Command, and (7) Action on objectives. This work by Lockheed Martin determined that conventional network defence tools, such as IDS, focus on the vulnerability component of risk, and traditional incident response methodology presupposes a successful intrusion. An evolution in the goals and sophistication of computer network intrusions has rendered these approaches insufficient for certain actors. A new class of threats, appropriately dubbed the advanced persistent threats (APTs), as describe above, are executed by well-resourced and trained adversaries that conduct multiyear intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. The evolution of APTs necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but also the threat and the actor components of risk.
Deception is an attractive cyber defence tool. It is one technology that can significantly reduce dwell time. On top of this, it is easy to install, does not require a lot of resources to manage, and increases the effectiveness and efficiency of security teams. A key issue is how far to advertise the existence of deception technologies. The important thing to remember is that deception does not imply active cyber defence (retaliation against the adversaries). It is one thing to track and trace what is going on in order to establish who is attacking as well as their motives. The legal attribution, is a completely different thing. There is a fine line between (a) deception for the sake of knowing and (b) entrapment, which may result in tricking someone into committing a crime to secure the cyber crime attribution and their prosecution. From a legal standpoint, such a strategy is very questionable. Engaging in such active cyber defence actions rather than deception actions also creates an additional burden of work for a business and it does not necessarily make that business more secure. From a learning point of view, deception technologies are excellent planning approaches to cyber security, but the issue is, how far do you pursue this strategy? Obviously, some caution needs to be exercised to make sure that businesses do not cross the line between deception and retaliation.