Cyber Deception

Cyber deception is a deliberate and controlled act to conceal enterprise networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness, and to influence and misdirect adversary perceptions and decision processes. Defense through deception can potentially level the cyber battlefield by altering an enemy’s perception of reality through delays and disinformation which can reveal attack methods and provide the attributions needed to identify the adversary’s strategy. Also, delaying and dissuading provides the essential time for forensics teams to analyse, identify, and mitigate attack vectors. Deception can play a critical role as the next line of defense for detecting intrusions that have made their way inside the network before an attack can be completed and damages done.

Some of the key terminologies which help understand deception better are as below:

Kill Chain Cycle –These are the steps taken within a cyber-attack and includes:

  • Reconnaissance
  • Initial compromise
  • Establish foothold
  • Escalate privileges
  • Internal reconnaissance
  • Move laterally
  • Maintain Presence
  • Continue to escalate privileges until the attacker completes their mission

Honeypot – Honeypots are computers designed to attract attackers by impersonating another machine that may be worthy of being attacked. A honeypot appears to be an integral part of an enterprise’s network, but is in reality bait for hackers.

Honeynet – Honeynets simulate a number of computers or a network to convey an impression of the defenses of a computer system that are different from what they really are by creating phony vulnerabilities.

Deception Engagement Servers – Deception techniques are similar to a honeynet in their use of engagement servers to lure an attacker into their trap. However, with deception the advanced use of endpoint and distributed engagement servers are used to actively attract an attacker. In addition, they have a self-healing environment which, after containing and analysing an infection, can safely destroy the infected VM and rebuild itself for the next attack. Mature platforms will also have the ability to engage with C&C servers so that additional data about the attacker’s methods and intent can be understood.

Deception credentials – These are the lures placed on endpoint devices that work dynamically with deception engagement servers to actively draw attackers away from the enterprise’s servers and get them instead to engage with the deception engagement server.

Any ideal deception solution must have capabilities of traditional deception and follow dynamic approach. 8 features which must be looked while evaluating a deception solution/technology/tool are:

  • Scalable platform which takes a deception everywhere approach, supporting user networks and DC’s across private, public and hybrid cloud environments.
  • Non-disruptive to deploy and non-resource intensive to manage.
  • Integrate seamlessly with existing security by enabling real-time threat detection.
  • By design doesn’t require any signature / database look up / network topology / traffic changes / require heavy computation to detect an attack.
  • Ability to communicate with a command and control center.
  • Forensics capability to update prevention systems and shut down attacks.
  • Include a threat intelligence dashboard and a full range of IOC reports to enable prevention systems to shut down current attacks and prevent future ones.
  • Minimal rate of false positives.

Breaches can be a costly and time-consuming challenge to deal with. It’s time to turn the tables and use deception to outsmart the hackers and to protect your company’s assets, brand and reputation.

By:- Sapan Talwar