Deception Affinity and the Moving Target Defense

Sun Tzu stated that, “all warfare is based on deception.”

We expand upon Sun Tzu’s principle of warfare by modifying his statement slightly, to “all warfare is based on properly designed deception.” After all, deception is rather useless if it cannot fulfill its critical aim: to mis-direct, confuse, and lure attackers into traps and dead-ends. This, in a nutshell, is the concept of deception affinity – the art of tricking attackers into overextending and exposing themselves.

However, to properly foil or mis-direct an attacker you need to be able to see things from an attacker’s perspective – this means gaining full visibility, establishing context, understanding the intent of attackers and then engineering action to increase the cost and complexity of an attack. The first step in doing this is to understand your cyber terrain (“know your enemy, know yourself,” as Sun Tzu put it). To do this, organizations can’t focus solely on protecting their most valuable assets, but anything that is likely to be targeted (inclusive of Crown Jewels). And to understand what is likely to be targeted, you need to know how the adversary is looking at your terrain.

Scouting Enemy Movements

We look at the world in terms of terrain because this is where the battle is fought. How the adversary sees your environment is part and parcel to how you want to defend it. Barring cases of insider threats, attackers will often begin their advance by initiating a recon attack from internet grey space (unattributable portions of cyberspace) and attempt to enter through the border. As the adversary moves into the border, they begin looking for information that will aid them in executing their attack, asking themselves questions like: what ports are open? What are the protocols? What is the IP space? DNS? What’s available? Are there any vulnerabilities that can be exploited that are presently known or published?

As they move closer to their intended target – whether that be endpoints, ERP, or financial systems – your adversary will typically see from left to right an avenue of approach of how to get to an asset. So before engaging in any hunt operation, you want to know how an adversary is moving laterally, or north to south. This movement should be projected against the current terrain constraints and topography. Probable activity like C2 or exfiltration are more likely to be realized in certain parts of the network. Understanding the communication paths through hosts and enterprise resources is critical to understanding adversary movement. This understanding informs and influences current and future cyber posture through recommending sensor placement to improve and enhance visibility.

An ideal approach combines data at rest, e.g., securing endpoints, and understanding data in transit, e.g., our network sensor. This allows for deeper and wider visibility across an enterprise further supporting additional protections in the form of the deployment of decoys in key locations and key places. These efforts introduce complications into hacking campaigns thereby shifting the economics of an attack back to the adversary.

As you take information relating to these paths of communication, unknown protocols, user behaviors, and project that information against the enterprise’s set of vulnerable hosts, you get a few different perspectives. Does the software on these devices present any known or common vulnerabilities and exploits (CVEs)? Are we able to construct a view where we can look at what needs to be seen from a visibility standpoint? What assets are vulnerable, where do they lie and do potential paths for exfil, ingress and C2 exist in proximity to these assets? This kind of complete visibility of terrain, and not just content, allows organizations to construct that complete picture, providing intelligence that grants the ability to discern indicators of compromise and what a known or unknown TTP could be.

Denying the Enemy a Static Target

Defending cyber terrain relies on a simple concept called moving target defense (MTD) – an overarching defense philosophy that holds it is more difficult to hit a moving target than a static one. [1]

Attackers’ suspicions are raised when they come into contact with abnormal terrain. If you do nothing to alter the perception of your terrain across different dimensions (topology, time, etc.), you are essentially providing the attacker with a static target. If the target is static in nature, attackers can leverage the advantage of time to study and learn about communication paths and optimal techniques for exploitation and compromise. Our approach to defensible architecture centers on the ability to move or hide the target by changing the perception of the attack surface from the adversarial perspective.

The goal of deception-based cybersecurity is to reduce the overall percentage of exploitable terrain (i.e. attack surface) available to an attacker. The overall percentage of exploitable terrain is the ratio of exploitable terrain to the total terrain. The traditional approach is to focus on the numerator in this ratio, i.e., reducing the volume of exploitable terrain through patching vulnerable endpoints. Or if organizations are unable to patch and must leave the endpoint open, they will usually deploy IDS, IPS and other types of appliances to determine if something is accessing it in the wrong way. This can work well enough in a static environment but will prove insufficient for organizations in non-static environments. Organizations with non-static environments (such as those building an enterprise baseline that incorporates legacy systems or medical devices) will only be able to reduce the numerator by so much. This ultimately limits their ability to maintain a healthy ratio of exploitable vs. unexploitable terrain.

In order to ensure the correct ratio, organizations must also focus on the denominator – their overall volume of unexploitable terrain. Deploying decoys that are similar to what is already on the network will increase the volume of unexploitable terrain and thereby lower the overall percentage of exploitable terrain. So as the attacker is looking for unexploitable terrain in the form of static devices like ERP, server, finance, database, HR, resources, etc. they will run into decoys that mimic their target. This frustrates the attacker and introduces anxiety, advantageously shaping their perspective.

To learn more about creating Deception Affinity and a Moving Target Defense capability, schedule a meeting or demo with Fidelis at Black Hat 2019 in Las Vegas:

Or visit our Fidelis Deception® product page.

[1] Department of Homeland Security. Moving Target Defense.

Browse our blog