Editor's note: This article by Kevin Fiscus, Principal Instructor, SANS Institute, originally appeared on Smokesceen.io. Zscaler recently acquired Smokescreen Technologies, a leader in active defense and deception technology.
Information security is a complex field. The list of available security technologies starts deceptively simple, beginning with firewalls and antivirus but quickly becomes complex and well, intimidating.
You can ascertain the maturity of a cybersecurity program by the types of security controls implemented in a network. Most organizations have at least a firewall, antivirus, and maybe a VPN. As security programs develop, patch management technology, email filtering, and vulnerability scanning get implemented next.
As organizations mature further, IDS, IPS, SIEM, and web application firewalls become common. Then comes Network Traffic Analysis (NTA), Network Access Control (NAC), Data Loss Prevention (DLP), User Entity and Behavior Analytics (UBA/UEBA), various types of encryption, single sign-on, file integrity validation, mobile device management, web filtering, and two-factor authentication. There are a lot more, but you get the idea.
Categorizing security controls
Efforts to simplify the list often break security controls down into categories, such as protective or detective controls. Many of these technologies can be easily categorized based on their primary function. Firewalls, antivirus, NAC, VPN, IPS, email filtering, and vulnerability scanning are primarily protective. IDS, SIEM, DLP, UBA/UEBA, and file integrity validation are detective in nature.
These are, of course, general categorizations. Firewalls, for example, can generate logs that act as detections while DLP often utilizes active blocking that is protective. Different vendor solutions can blur the distinction between preventive and detective, while solutions such as Unified Threat Management (UTM) and many next-gen firewalls incorporate the features of multiple technologies into a single solution. Functionally, though, it is still possible to categorize security technologies.
So, where does deception technology fit?
When it comes to deception technology, things get a lot more unclear – Is it protective? Is it detective? Is it suited for mature security programs? Or can it be implemented small security teams with limited security controls as well? The answer to all these questions is – Yes. Wait, how can this be?
Well, the problem is one involving the framing of the question. Before we look at deception technology, we are going to look at another aspect of security – physical security.
Cybersecurity practitioners are aware of the impact physical security controls have. Physical security is generally considered a related but separate discipline. Weak physical security can often render highly effective cybersecurity controls moot. Why? Because attackers have two channels with which they can interact with your assets: cyber and physical.
Cyber and physical attack surfaces
Cyber interactions occur via packets, bits, and bytes. They happen over the network and are relatively independent of the physical world. It does not matter what physical form the computer takes or if the connection to the Internet is via Ethernet or coax cable. You counter cyberattacks with cybersecurity controls.
Physical interactions, on the other hand, occur in the real world and involve direct interactions with objects that have mass and can move from one location to another. You counter physical attacks using physical security controls.
While there is a relationship between physical and cyber, they are not directly related. Addressing one area provides no guarantee of protection in the other.
Consider data that is protected by theoretically perfect cyber controls. Assume there is absolutely no way for an attacker to harm an organization via any form of cyberattack. Weaknesses in physical security can still result in significant harm. An attacker with physical access can retrieve the output of a printer, listen to spoken conversations, or even shoulder surf an authorized user to obtain sensitive data. Even if none of these are possible, an attacker with a sledgehammer and an angle grinder in a data center can cause serious harm.
The converse is also true. An organization with theoretically perfect physical security can be compromised if they have cyber weaknesses. Locked doors, security cameras, motion sensors, and security guards do little to stop an attack consisting of packets going across wires.
Another way of looking at this relationship between physical and cybersecurity is from the perspective of an attacker. When planning their attack, adversaries can target cyber or physical controls depending on identified weaknesses.
Human beings – The mental attack surface
These, however, are not the only options available to attackers. To facilitate either physical or cyber compromise, attackers often target the human. Techniques such as phishing, spear-phishing, and social engineering exploit long-established habits, patterns, and biases to break into systems. These techniques could be employed to facilitate a cyberattack, such as when sending a malicious attachment in an email. They can also be used as part of a physical attack, for instance, when an adversary pretends to be delivering a package to gain access to a building.
According to the 2020 Ponemon Institute Cost of a Data Breach Report, the combination of phishing and social engineering represents 17% of data breaches, more than vulnerabilities in third-party software (16%), physical security compromise (10%), malicious insiders (7%), misconfigurations/system error (6%), or business email compromise (5%).
Adversaries attack us physically, and we employ physical security controls to counter those attacks. They launch cyberattacks, and we use cybersecurity controls as countermeasures. But what about attackers targeting the human mind? That is when cyber deception comes into play.
In his book Practice to Deceive, noted deception author Barton Whaley writes, “In combat, deception strengthens the weaker side. When all other factors are equal, the more deceptive player or team will always win.”
Social engineering, phishing, and cyberattacks such as antivirus evasion employ deception. Traditionally, however, defenders have not relied on cyber-deception. As a result, attackers consistently compromise our environments and remain on them for days, weeks, or even months before being detected. Deception technology allows us to change the game entirely.
Enter the Matrix
Deception technology allows defenders to influence the thoughts and actions of attackers. Your network is yours. You have created it and, therefore, can control its every aspect, down to the individual packet. As a result, you have the capability of manipulating what the attackers see once they are inside. By using deception techniques, you can place attackers into a real-life version of The Matrix.
You can place deceptive systems, services, credentials, files, and other resources on the network. As these resources have no real production function, there should be no legitimate interaction with them. Any attempt to interact with these resources is, therefore, suspicious at a minimum and malicious at worse. Alerting on this interaction results in a high-fidelity, low noise detection solution.
By carefully designing and placing these deceptive assets on the network, you can distract attackers away from your truly critical resources, not only allowing for detection of the attack but also delaying its progress.
Optimize your Security Operations Center (SOC) with deception technology
By analyzing the interaction of the attackers with these deceptive resources, you can learn more about their tactics, techniques, and procedures. This threat intelligence can create a better defensive security architecture and improve the effectiveness of the deceptive environment.
Faster and more effective attack detection combined with comprehensive information about the attack allows for increased efficiency of security operations and a more effective incident response. You will not only minimize the harm resulting from the attacks but also reduce your SOC overhead.
Reign in false positives and detect human-driven attacks
Higher fidelity detection allows you to take a more active role in defensive operations. Traditionally, defensive security makes use of static technology to combat human and automated threats alike. Security technology can combat automated threats as humans cannot operate at the speeds necessary to counter automated attacks such as fast-spreading malware.
Technology controls, however, are constrained by their programming. Creative attackers have a history of discovering the limits of, and then circumventing those controls. Given enough time and the necessary skills, creative human attackers will always win against technology – this is where the real value of deception technology comes into play.
The only truly effective way to combat a creative human attacker is with another human. Unfortunately, most organizations lack the budget to maintain a staff of active defenders because, in part, SOC analysts are spending as much as one-third of their time dealing with false-positive alerts.
Deception technology significantly reduces the number of false positives, generates detailed attack intelligence, and detects attackers more quickly. As a result, your analysts save a ton of time that they would otherwise spend chasing ghosts. Without these benefits, having your analysts actively respond to attacks is an exercise in futility. With deception, you will identify attacks more quickly and have the time to engage attackers.
Deceive to engage
When discussing active attacker engagement, we are not talking about hacking back. There may be situations where nation-state operators engage in offensive counter-hacking, but this is illegal for most organizations. There are, however, many options available to active defenders that do not cross the hack-back line.
As defenders, there is a lot you can do once you have identified an attacker on your network. You can manipulate, in real-time, the deceptive environment and the deception cover story based on your knowledge of the attack. Here are some examples of what is possible:
- Manipulate the attacker by generating or removing deceptive assets.
- Generate network traffic, alerts, or error messages to encourage specific attacker behavior.
- Implement session hijacking tools to cloud or distort attacker perceptions of the environment.
- Create situations that force an attacker to disclose information about who they are and where they come from to circumvent perceived obstacles.
These tactics are effective after the attacker has gained a solid foothold in the environment. Ideally, defenders could even slow down or distract attackers while law enforcement is engaged if the circumstances were appropriate.
Making defenders cool again
Traditionally, information security professions like penetration testing, red-teaming, digital forensics, and incident response have been considered cool. It is because defenders appear to be responsible for babysitting technology and wading through copious amounts of log data.
With deception technology, we can change that paradigm. You will be able to create active defense professionals who turn the adversary’s playbook against them. When you get to this stage, it will be easier for an attacker to physically compromise an environment than to compromise it across a wire. That is when defenders truly achieve ultimate victory.
Defeat by doubt
Deception technology enables you to distract attackers away from critical resources and delay their progress in your network. It allows you to detect them more quickly, but none of these represent the superpower of cyber deception. Cyber deception can, when fully utilized, cause an attacker to second-guess everything they think they know about your environment. It can create the impression that detection and possible capture is imminent. And it can lead the attacker to conclude that attacking a deceptive environment is more trouble than it is worth. In every real sense, cyber deception can stop an attack before it even begins.
Deception technology in your security stack
So, back to where we started – Where does cyber deception fit into the landscape of information security? Is it detective or protective? Does it require a robust cybersecurity program? These questions assume that cyber-deception is a component of cybersecurity. It is not.
Defensive security operations involve three functions: cyber, physical, and mental. Like a stool with three legs, a failure in any one of these functions can lead to compromise.
Cyber deception is the answer to the mental component, and like physical security, it works with but is separate from traditional cyber controls. As such, it can and should be deployed by every organization, regardless of size or technical complexity. It requires no other technical security controls, yet can benefit from and, in turn, can provide benefits to any existing security program. It is the missing piece of the defensive security puzzle. Without it, attackers have had the advantage. With cyber deception, defenders can finally take that advantage back.
What to read next