“Never attempt to win by force what can be won by deception,” said notorious Italian political philosopher Niccolo Machiavelli.
The statement—taken from a 16th-century treatise on maintaining political power—could be a mantra for today’s cyber attackers.
Deploying tactics such as social engineering to lure people into clicking on weaponized links and attachments, they are using deception to set up communication between target systems and command and control servers, siphoning off valuable data with targeted attacks that can take weeks or months to detect.
The communications paths they use can be convoluted and involve numerous parties, such as internet service providers (ISPs), phone companies, and third-party systems used as proxies. Their tactics are so successful that it can be difficult to determine if an attack is coming directly from the hackers themselves— from a computer that they control—or from a “zombie” computer they’ve taken over that belongs to an unknowing victim.
The Stakes Are High
According to Gemalto’s Breach Level Index, the number of data records compromised in publicly disclosed data breaches in 2017 surpassed 2.5 billion, up 88 percent from 2016. The frequency with which data records were lost or stolen is staggering, equating to 7,125,940 per day, 296,914 per hour, 4,949 per minute and 82 per second.
Traditional prevention and detection methods are being bypassed, and many organizations either don’t know what to do, or don’t have the right resources in place to advance their security.
To keep up with highly skilled and aggressive attackers, we have to move beyond the predictable patterns of network security and static defenses that our cyber adversaries are well-attuned to. The bad guys are getting faster and faster; it has become a question of “when”, not “if” you will be compromised. Assume that attackers have gotten inside, and will do so again.
The continued theft of business-sensitive data could result in the inability of companies to compete in the global marketplace. Cyber security is a matter of survival, and proactively fighting off intruders has become a business imperative. But if we cannot keep them out, how can we protect critical information assets?
Fight Fire with Fire
In coordination with traditional and advanced security controls, and a diligent approach to basics such as software patching, user identity management, and network management to reduce available attack surfaces, the use of deception can be invaluable.
We can use our enemies’ most valuable tool against them and deploy defensive deception methods to detect hackers and make it more difficult, time consuming, and cost prohibitive for them to attack. With the right tactics, security professionals can make cyber attackers feel like they have successfully hacked, when in reality they’ve fallen into a trap.
Military planners throughout history have used deception to great effect. We can take a cue from what is arguably the greatest deception operation in the history of conventional warfare—the World War II D-Day invasion of Normandy, France.
Operation Bodyguard was the code name given to a well-designed deception plot that guaranteed the success of the Allied landings in Normandy on June 6, 1944.
The goal of the operation was to mislead the Germans about the time and place of the invasion. It worked so well that the German high command was oblivious to the early stages of the attack. Erwin Rommel—the German General Hitler had placed in charge of fortifying the coast of France against any invasion by the Allies—was back in Germany celebrating his wife’s birthday when the invasion began.
In fact, Hitler was so reluctant to disbelieve the false intelligence he’d been given that even after the invasion began, he deferred moving reinforcements to the area for over a month. By that time, the Allies had gained such a strong foothold in continental Europe that it was too late. Operation Bodyguard marked the beginning of the end for the Third Reich.
The success of the mission relied on deceptive tactics that can be applied to cyber-security efforts today: concealment, camouflage, disinformation, displays/ruses, feints and insights.
The Allies concealed their intent with misdirection, convincing the Germans that the attack on Normandy was only a feint or demonstration for the real invasion that was to occur elsewhere. This caused the Germans to waste valuable time waiting for an attack that never took place.
- Conceal valuable data in innocuous-looking files, and set up honeypots and facades that divert attackers from real assets, lead them to false intellectual property, or cause them to trip alarms. These techniques waste the attackers’ time, shake their confidence, and increase their anxiety over being caught and exposed.
The Allies obscured real artillery under fake supply trucks and other structures that appeared to be either useless or badly camouflaged dummies.
- Obscure your infrastructure by making it a moving target, changing addresses, infrastructure topologies, and available resources daily. Virtualization makes it possible to build up and tear down resources at will. Software-defined networking (SDN) technology can virtualize the deception process while helping to build security management and control features into the network fabric. In short, take steps to prevent attackers from seeing the same infrastructure twice.
The Germans were made to believe a fictitious British Fourth Army was based in Edinburgh and a fake First United States Army Group, under General George S. Patton, was stationed in the South of England in preparation for attacks on Norway and Pas de Calais. This diverted the Germans’ attention away from Normandy.
- Divert or confuse attackers with false information. As highlighted under “concealment,” you can supply the hacker with fake successes, responses, files, and assets to exploit. Lie about the most basic things that matter to an attacker: the presence of files, and ability to open and use them. Your system could issue false error messages when asked to do something suspicious, or could claim that it can’t download or open a suspicious file when it really can. However, it is important to remember that any false information given must not be easily disprovable.
Inflatable tanks, wooden planes and trucks, and specially painted ships placed in areas the Allies wanted Hitler to believe an invasion was imminent were used to deceive enemy reconnaissance planes. Fake radio communications and information provided by double agents to the Germans added to the deception.
- Create counterfeit resources for the attacker to find. Distributed decoy systems help you spread the appearance of endpoints and servers throughout the range of IP addresses being used by the company, and set alluring traps such as fake credentials for accounts on decoy machines. These systems offer the benefit of low false positives (legitimate users have no reason to be in contact with decoys), and because they are in-line, they take up very little bandwidth. When a decoy is breached, the security team can choose to let the attacker continue while they watch, which aids in the development of intelligence about specific attack vectors, and attackers’ ultimate goals.
- Some solutions also provide advanced threat-hunting capabilities, enabling direct action against attackers within the bounds of the U.S. Computer Fraud & Abuse Act (CFAA). They extend live forensics, control, and mitigation capabilities to attacker-controlled computers within the targeted network, allowing organizations to actively defend their infrastructure within their own environment, and making it easier to investigate, contain, and engage with intruders.
Through the use of double agents, the Allies convinced the Germans that any invasion of Normandy would be a feint—a diversion from a larger attack that would take place elsewhere. They pointed to an Allied invasion of Crete, the Greek mainland or the Balkans on the days before the actual assault on Normandy, and to an ultimate attack on Pas de Calais.
- Use defensive feints to pretend to succumb to one form of attack in order to conceal a second, less-obvious defense (this is called a nested deception). For instance, you could deny buffer-overflow attacks on most ports (access points) of a computer system with a warning message, but pretend to allow them on a few for which the effects of the attack are simulated.
The Allies played on Hitler’s personal obsessions and biases. He was convinced that the Allies would attempt a major assault through Greece and the Adriatic, because the Axis nations in that area were vacillating in their loyalty to him. The 22-mile strait opposite Calais was also of intense personal interest to him, because it was where he believed a cross-channel invasion was most likely.
Develop a holistic picture of how your organization is being targeted, and by whom. Threat intelligence enables you to shift from reactively defending against to anticipating attacks. It helps you maintain an awareness of existing and emerging threats and achieve insight into attackers’ plans, so your deception strategy can be adjusted before those plans turn into action. There are a variety of threat intelligence services your organization can subscribe to in order to aggregate data and help to determine which information is actionable. Some are specific to industry verticals, specific to one manufacturer, open to third-party integration, and others offer automation tools. Each offers different levels of relevance and context. As organizations continue to ramp up their threat intelligence capabilities, the effectiveness of intelligence-led deceptions will increase.
Detect & Disrupt
According to the Ponemon Institute’s 2018 Cost of Data Breach Study, the mean time to identify (MTTI) breaches has reached an average of 197 days. Lengthy dwell time enables lateral movement—the key to increasing hackers’ chances of success. The use of defensive deception can uniquely position your organization to detect lateral movement and limit dwell time, so threat actors can’t get what they need to progress through the Kill Chain and steal critical data.
Developing a Strategy
However, just as a single mistake can destroy a magician’s illusion, a misstep during an effort to mislead cyber attackers can derail all of your efforts, and put your data at risk. The more mature your organization’s security practices are, the easier it will be to incorporate deception into your strategy. All forms of defensive deception must be carried out with precision using intrusion-detection methods to minimize damage to legitimate users, and avoid business disruptions.
Companies without the resources and capabilities to launch this type of initiative may find it best to partner with a vendor-independent firm that has experience in all aspects of IT infrastructure and security. Professional services such as security program and architecture assessments are an important step in evaluating overall risk, and can help to develop a deception strategy that considers the entire life cycle of an attack (i.e. the kill chain), and incorporates a variety of tools and techniques that operate across networks, endpoints, applications, and data.
Organizations have been using honeypots for years in an effort to improve the detection of attacks; while honeypots have been criticized in the past for requiring a significant level of administration and maintenance, today’s honeypots offer greater automation and enterprise-class features.
Over the past few years, new deception technology has emerged that facilitates the broadening of deception capabilities from simple detection to attack diversion, and even prevention. Several solutions that facilitate deception are highlighted below; vendor-independent product testing can help to determine which are best suited to the organization’s environment and business goals.
The End Justifies the Means
During a speech given in 1943 Winston Churchill said, “In wartime, truth is so precious that she should always be attended by a bodyguard of lies.” It is how Operation Bodyguard earned its name, and it applies to cyber security today. Security teams are at war with increasingly capable enemies; we cannot stop cybercriminals and state-sponsored agents from breaching our perimeters and targeting our data. But with a multi-layered approach to security that incorporates deception we can misdirect maliciously driven attackers and either trick them into believing they have achieved their goals, or make their efforts so arduous and expensive that they will move on to easier targets. While the use of offensive deception may be difficult to justify from an ethical perspective, when it comes to defending data in today’s threat landscape, the end justifies the means.
Find out how to mature your organization’s security posture. Get your guide to transforming enterprise cybersecurity.