alphaspirit - Fotolia
Published: 02 Nov 2015
Lying to thieves isn’t exactly a new concept. Even within the information security realm, products aimed at playing tricks on hackers -- by deploying honeypots -- occurred as far back as 1998, with the public release of Fred Cohen’s Deception Toolkit. There are, of course, less fancy ways to protect information through deception: The Cuckoo’s Egg details how Lawrence Berkeley Lab’s Cliff Stoll created a fake department and planted decoy files in 1986 to uncloak a hacker who, it turned out, was involved in cyberespionage.
Most defense-through-deception techniques early on were hand-rigged affairs. They were not designed to automatically deepen the deceit throughout the stack as an attack unfolded or to perform command-and-control analysis. Whereas honeypots functioned, in some cases, as intrusion prevention systems, new deception platforms serve up single-console administrative programs that filter and prioritize detected attacks.
Lately, a wave of network and endpoint technology with built-in deception techniques has advanced the concept even further. Firewalls such as Juniper Networks’ now provide misinformation such as fake network processes to stop the spread of malware, and intrusion prevention systems from IBM, HP, Intel and Cisco use similar deception techniques. Another brand of trickery obfuscates a Web page so that it looks and parses differently each time a bot sees it.
With so many ways to cheat the wily hacker, why hasn’t information security through deception taken off in the enterprise? According to Lawrence Pingree, research director and author of a Gartner report on the so-called threat deception phenomena, providers have largely kept their deception techniques under wraps:
[D]eception technology implementations now span multiple layers within the stack, including endpoint, network, application and data. However, many technology providers have been reluctant to mention these (often cool) techniques to trick the attacker or their intrusions because threat deception is widely misunderstood, or is unknown as a concept to buyers.
As new deception techniques surface, it’s probably a good time for CISOs to become familiar with these offensive strategies. (Gartner estimates 10% of enterprises will use deception tools and tactics by 2018.) One fascinating product area is what Gartner calls “distributed decoy providers.” Examples -- all startups -- include Attivo Networks Inc., Cymmetria, TrapX Security Inc. and TopSpin Security. With all of these products, the technology automatically creates (in one way or another) the appearance of endpoints and servers throughout the range of IP addresses used within the organization. It may also scatter various traps on “real devices,” such as fake credentials for accounts on decoy machines.
“We make the bad guy believe that we are real servers and services that he is after,” said Tushar Kothari, CEO of Attivo Networks in Fremont, Calif. “Once he attacks us, we are able to determine his intentions.”
Lying in wait
This decoy approach offers a couple of important benefits. First, any time there’s significant traffic directed to a decoy server or endpoint, it’s a safe bet that there’s some sort of malicious activity afoot, because no real user or service has any reason to be in contact with the decoys. So there’s an inherently low level of false positives (and this can be improved on as well).
Second, the decoy technology takes up very little bandwidth. “We are not inline; we do not take a copy of the data; we’re just making ourselves extremely attractive to the attacker,” Kothari said. “So we are inherently extremely efficient.” It’s true, though, that some vendors in the space -- TopSpin, for example -- also monitor network traffic more in the manner of traditional intrusion detection systems in addition to seeding the network environment with decoys.
The quality of the decoys is getting better as well. According to Kothari, Attivo often uses exact copies of a client’s production servers, deploys more decoys (than there are real servers) and makes them somewhat less well protected. “We have determined ways to be pervasive in the network so that wherever the bad guy finds his attack vector he’s going to find us,” he explained. The company released a technology update in early September that supports the addition of Amazon Web Services and hybrid configurations.
What happens if a hacker takes on a real server and one of the many decoys at the same time? “The fact that he is talking to us means we’ve got him as soon as he breaks in -- and he’ll be able to break in sooner with us than the real stuff because we’ve left the door open,” Kothari said. “Then we can let him continue to run his attack while we watch.” This observation period is also important because it allows these products to generate intelligence about the specific attack vector, as well as forensic clues about what the attack’s ultimate goals are and even, perhaps, who is behind them.
And all this bait laying happens automatically across even huge networks, all configured from a single console and with results that can produce impressively few false positives.
It’s one of security’s old chestnuts that defenders have to be right all the time, while an attacker only has to be right once. But with deceptive security, the attacker has to be right more than once, because if he’s wrong, he’ll be shut down before being right can matter. You’ve got to like the way threat deception techniques reverse the odds.
Robert Richardson is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter @cryptorobert.
More tips on offensive security methods in the enterprise
How to increase the costs to attackers and eliminate black hat bargains
The pros and cons of a proactive defense approach