The topic of deception often brings up controversial thoughts and some misconceptions. Add in reporters looking for the negative or dark side of an interview for a story about deception, and fear keeps building up. Headlines about deception defenses striking back at attackers, engaging and confusing them causing possible retaliation, or possible legal concerns about entrapment add to this fear bubble. You have all the makings of a good Hollywood sci-fi thriller of good versus evil on a cyber battlefield. This is far from the reality of modern deception. However, negative news gets attention and click through rates make editors and advertisers happy.
Just as your anti-malware detects malware files or bad URLs, deception detects ‘actions’ by adversaries or malware that have passed through prevention defenses. Detecting actions when you know how attacks operate and what they desire can be a low risk post breach defense without the Hollywood drama noted above. Another way to accomplish this task is using machine learning to analyze user behavior to find anomalies, however, false positives can be an issue. Behavior analysis requires large amounts of data for context to establish baselines, plus peer groups and other techniques, and is a much larger project than using deception defenses. Still, there are multiple ways to look for actions of interest as a post breach defense. Focusing on accurate low risk deception deployments, below are some key concepts to keep in mind.
First, your deployment goal for low risk deception should be detection (versus containment) to quickly learn what devices have been compromised to allow attackers inside your environment. While security conference lectures may focus on containment to capture tools and malware by engaging attackers in a real environment, you open the door for possible compromise and increase your risk profile. Any deception environment for containment will have decoys using an operating system, applications and interaction with the local environment including directories and services. Containing an attacker while they engage with your real deception system interacting with a local environment adds the risk of compromise. You do not need to take this risk inside your network for deception, it is an option depending on your goals.
Second, with a focus on detection (versus containment), you desire high fidelity alerts for actions of external intruders, malware, or malicious and compromised insiders accessing or touching deception layer components. Breadcrumbs on real assets, such as desktops and laptops open to adversaries mode of operations and attack methodologies, provide lures to decoys to trip alerts. Breadcrumbs are static, they do not require agents and are undetectable to users. You do not need a deception agent and deploying and configuring one is another hassle in your day, and attackers can look for it. So, keep to static breadcrumbs with a frequent update cycle for freshness to avoid fingerprinting.
Third, for detection you need network-traps for man-in-the-middle (MITM) defenses against domain credential gathering techniques such as Responder. Also, to detect the use of fake data, poisoned data and fake credentials. Again, when attackers act, you want an alert of where they are located and what device did the action originate. Most security leaders do not desire long term attacker engagement, entrapment, hack back responses or frustrating attackers to cause possible retaliation. If you do, you likely work in security research in an external low risk environment or are very confident in your skills and resilience capabilities.
Fourth, deception layers include decoys and here is where a divide in the market exists. If your objective is containment to capture tools and malware, plus engage with attackers, then you need a decoy with a real system. No attacker is going to install highly prized attack tools in a fake environment, they will check on characteristics to validate their surroundings. Put them into a closed VM environment and they are likely to reveal the decoy is like a sandbox where they will play nice and not install or expose attack tools. The risk of compromise exists with real OS decoys interacting with a local environment, and 1000s of these across your network also requires some manual effort and update cycles to keep them fresh. Given this risk is not acceptable to most organizations, modern deception defenses have advanced beyond legacy honeypot research methods and tactics.
Today, you can focus on detection and the linkage between breadcrumbs and decoys for high fidelity alerts with very low risk or friction. Decoys play out the second part of the handshake using emulation with medium interaction to find out targets of interest with no risk of compromise and benefit from automation for creation, deployment and adaptation. The goal of emulation decoys is to complete the linkage from breadcrumbs including fake active directory accounts. To make the linkage realistic, decoys are advertised to networks and activity is generated between real assets with breadcrumbs and decoys.
So, when you are advised that deception emulation can be detected and does not capture tools and malware, or engage with attackers to learn all their methods, you can reply, “Right, I am not interested in the risk of containment and I desire detection.” Leave the risk and drama for the next Hollywood blockbuster and focus on low risk deception for detection. This changes the game, attackers need to hide all their actions, as one act with a deception element sets off an alert. So, what does an attack access or touch to alert you of their presence?