A cyber attacker determined to breach a business’s IT defences will do whatever they can to succeed. They’ll come at them with sophisticated malware and a detailed knowledge of your business, trying to bypass security measures by sneaking in via an infected email attachment, malicious web link, compromised website or USB stick opened by an unsuspecting employee.
They may lie dormant in a business’s systems for months, but one day they will strike, unleashing cyber-espionage tools designed to seek out and steal your most precious and confidential information. Whether any of this effort gets them anywhere is another question.
Companies now realise that securing every endpoint, network and system is still critical, but is unlikely to be enough on its own. Certainly not against an advanced, targeted attacker. Welcome to the brave new world of anti-targeted attack solutions and threat deception.
>See also: Cyber security is a ‘people problem’
Anti-targeted attack solutions are embedded deep within your IT operations and can monitor and detect even the slightest anomaly in daily workflow. Such solutions sit at the heart of a new approach to cyber-defence, one that regards security as a continuous process. Threat deception complements this approach, adding a new strategy to the fight against targeted attacks.
Threat deception involves adapting your internal IT in such a way that attackers are never quite sure whether what they are looking at is real. It includes the use of decoys (credentials, documents, servers, networks and more), placed at strategic points in the network, and carrying false information to confuse and trap attackers. The main purpose is to distract the attacker from the genuine information.
These decoys have a built-in tripwire that triggers the security alarm as soon as they are accessed, so that attackers can be contained and neutralised, or sent off on a fruitless journey through the network. With every step they reveal valuable intelligence about their intentions and, together with your other security solutions, the compromised points in your business processes.
Gartner estimates that one in ten businesses will have adopted threat deception techniques by 2018, with numbers set to rise further into the next decade as business awareness improves and the technology evolves.
The approach of deceiving opponents into thinking you’re something or somewhere you’re not is one of the oldest military tricks in the books. Lures and decoys have been used in conflicts throughout history to distract, delay or confuse the enemy, often with great success.
Cyber attackers have embraced this approach – for example, by planting ‘false flags’ in their malware code to muddy the waters of attribution and point the finger of blame at other attack groups or even countries.
The most basic implementation of cyber deception is the use of a classic ‘honeypot’, which, in most cases, involves isolated traps often outside the main infrastructure and its sensitive data. Honeypots have been used in cybersecurity since about 1990.
However, attackers have learned how to spot – and avoid – such traps and even how to use them as a way to break into the network. The emerging approach of threat deception is taking defensive subterfuge to a whole new level.
Feel the fear and do it anyway
Organisations sometimes don’t realise they, or their partners and contractors, have been compromised until days or even months after it has happened; unaware that attackers are inside their network helping themselves to their intellectual property, financial records, confidential communications, encrypted information, contacts and more. Putting an end to such potential damage requires new technologies, but also a new mind-set about IT security: don’t fear the invasion, prepare for it.
Divert, distract, delay
Threat deception strategy can be implemented on many levels, with false or misleading components installed on various levels like networks, endpoints, applications, documents, or even records in databases. None of them should get in the way of day-to-day operational needs.
The following scenario is an example of how it might work: upon breaching the perimeter, cyber attackers tend to deploy their malware tools on an endpoint – such as a computer – to extract credentials during an active session of the operating system.
Through threat deception they could receive fake credentials. Then, when they try to use these credentials on other network resources, the organisation will be able to monitor their appearance and movement in the network, control and mitigate the attack.
Or, if the attackers make it as far as the data – either without detection or detected-but-contained, and under surveillance – they could find themselves capturing a tagged decoy document where they expect the confidential goodies to be, such as on a computer belonging to the CEO. They have no way of telling the difference.
Tracking the trackers
The key is to understand your network, and the systems or data of greatest potential interest to an attacker. Then set your traps in these areas. As soon as the attacker strikes, the alarm is triggered and their cover is blown. They can then be contained or, using other deceptive techniques, sent off on a wild goose chase where they can do no harm, but their actions can be tracked and analysed.
>See also: Cyber security from a hacker’s perspective
In the meantime, the company can isolate the targeted areas and learn more about what kind of data the attackers were after, the malicious tools they used and the weaknesses they have exposed. This kind of intelligence will help the victim to close any gaps and better understand who might want to target them, why and how.
Know your enemy – your enemy knows you
Knowledge is power. As the stakes between cyber attackers and their targets continue to rise over the coming years, the value of such knowledge will only increase. Cyber security will come to be marked by more subtle, intelligence-led tactics, complemented by human insight and analysis. Threat deception, either on its own or as part of a multi-layered anti-targeted attack process, will be an integral part of this.
Sourced by Denis Makrushin, security researcher, Kaspersky Lab