first published on LinkedIn on April 27, 2019
TL;DR: Things are not always you may desperately want them to be ¯\_(ツ)_/¯
However, as with any other capability we deploy, we would be in a better position if we understand its limitations, applicability boundaries, and best deployment model, do not you think? Therefore, have you ever asked yourself (or your vendor)
What would the best deception deployment model be?
Despite the opinions and the answers you may have received thus far, let's explore this together.
I claim that the best deception results will be where there is the most random distribution – it will give us the best advantage over the adversary. The assumption here is simple - the adversary is prepared to bear losses and will eventually learn about your defenses. However, no one can learn the randomness in principle other than it is random.
But what is the "most random" distribution? Because 0% and 100% deception coverage offers minimal entropy (randomness) due to the absolute minimum degrees of freedom - it will be somewhere between these two minimum points. That is: there will be at least one point that will offer the maximum entropy (randomness) in deployment and that is a mathematical fact. Even if we do not know the shape of the curve (as that depends on the assumptions and the chosen model) we can be absolutely confident that the best coverage is between 0% and 100%.
Let's explore further?
First, let me state my assumptions for the model, so you can challenge me to further improve it as required. For simplicity, I assume:
we employ any sort of "things" (let's call them e.g. decoys) that are "placed" on the network-connected devices that can be discovered by the adversary but have no legitimate use otherwise;
once they are being "touched" they generate an "alert" (i.e. detection - think of this a minefield);
they have a 100% detection rate (which by the way is an impossible ideal);
we have a flat network for simplicity (i.e. there is no security policy enforcement between different parts of the network - this does not constrain the model as the motivated adversaries would find the way as the experience tells us).
In these conditions, what is the probability to detect the adversary during its lateral movement?
If we have 100% coverage the probability to detect the adversary will be 100% (by definition). However, this is an unachievable ideal (as there is no system that is free of false positives and false negatives) and therefore this extreme case tells us – 100% coverage is not sufficient! But, is it even necessary?
Let’s assume we employ 10% random static decoy distribution (that gives the adversary 90%(!) chance not to be detected at any randomly hit hop). What would be the probability to detect the adversary in our conditions during 5 hops?
Whenever we need to find the probability of at least one thing happening, we can instead ask "What is the probability that none of them happen?" and subtract from 1 (since the complementary event to "none happens" is "at least one happens"). Therefore,
P (at least one event) = 1 − P(none of the events)
Since the events are independent, the probability of no event happens (i.e. the probability of not being detected) is the product of the individual (i.e. 0.9 or 90%) probabilities.
Therefore, the probability of not being detected five times on the row is
0.9 * 0.9 * 0.9 * 0.9 * 0.9 = 0.59 (or ~59%)
And, based on the calculation above the probability of detection is
P (detection) = 1 − P(no detection)= 1 − 0.59 = 0.41 (or ~41%)
This is not high but is still higher than the detection rate of a randomly chosen antivirus for a randomly chosen malicious code (just visit virustotal(dot)com to convince yourself).
As you can further notice, if we increase the coverage the detection rate goes up very quickly:
P (30% coverage) = 83%, P (50% coverage) = 97%, P (60% coverage) = 99%, and so on. However, it is not necessary to go any further as we will never achieve this detection rate in practice anyway, do not you agree? And therefore, 80% is already pretty good if it works as advertised. What would be your rational choice for coverage?
Can we improve this any further?
I see that if the point of a possible adversary's entry (e.g. an exposed web server or a user receiving unexpected unsolicited external emails rather than closer to the anticipated target where it will be too late to react) would have a greater probability of detection - the chances of the defender will be greater.
For this, let’s now employ a 90% coverage on the small number of the most likely entry points (it gives us 90% chance to detect the adversary very early near the first hop, and 10% to the adversary to remain undetected). The rest deployment is the same as before - the 10% random static decoy distribution coverage on a large number of points.
Again, since the events are independent, the probability of no event happens (i.e. the probability of not being detected) is the product of the individual probabilities. Therefore, the probability of not being detected five times on the row is
0.1 * 0.9 * 0.9 * 0.9 * 0.9 = 0.07 (or ~7%)
And therefore, the probability of detection is
P (detection) = 1 − P(no detection)= 1 − 0.07 = 0.93 (or ~93%)
Quite (unrealistically) impressive! But it does tell us important thing: it seems indeed the full coverage is not necessary...
Let's now take a more realistic example where an adversary would need, based on the response from some experts I asked, "hundreds of hops on average to reach the target". Then
P(no detection) = 0.9^100 or ~3*10^-5
That is to compare: the probability 3*10^-4 to be struck by lightning in your lifetime is 10 times greater than the probability 3*10^-5 for the adversary reaching 100th hop undetected in the model of random 10% decoy deployment!
Let me bring this to life for you: if I offered you insurance against being struck by the lightning - would you buy it and how much would you pay if you ever did?
To conclude ("Take-Aways"), based on this simple set of assumptions:
100% coverage is not sufficient
100% coverage is not necessary
The best coverage (in terms of offering the maximum entropy) is a random distribution covering between 0% and 100% of the environment
Partial random distribution (that you can further randomly and dynamically change) does not impede your chances compare to the full coverage but offers a greater advantage over the adversary that the full coverage does not
Consider several different complementary solutions to further improve your detection and survival chances (similar to when you deploy several different alarm systems) and drive the adversary's operational cost up by using the cost-saving realized from the carefully modeled coverage
Full disclosure: this is a very simple model that does not take into consideration many important things, e.g. objectives, motivation, capabilities, etc of the adversary, that whilst would likely have random movements at the beginning will learn and make more considered movements later.
Prof. Ganna Pogrebna suggested further improvements to this simple model by using a "bridge model" (where we have network segmentation) vs "minefield model" (a flat network used here), as well as using the model of the random changes of the decoy distribution after every adversary's move. The later produced comparable results that increased confidence in the method.
Greg Mathews suggested using the Monter-Carlo method that also produced comparable results independently giving even more confidence in the model.
I also like to thank many others of my colleagues and friends who contributed via discussions or encouraged me to write this but preferred to remain anonymous.
Now it would be great if somebody could present a model and produce the results that are at odds with these - so we could understand what needs to be further improved. Anybody?
Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses, Michael Crouse et al
Moving target defenses with and without cover deception, Fred Cohen et al
Measuring the effectiveness of honeypot counter-counterdeception, N. C. Rowe
Analysis of network address shuffling as a moving target defense, T.E.Carroll et al
Deception As A Cyber Defence Tool, Ganna Pogrebna