By contrast, we often do not hear about attacks that have organisations have successfully repelled.
Within information security, there have been long-running efforts and investment to ‘turn the tables’ and put the balance of power back into the hands of defenders.
It leads to the question: to what extent can defenders guide - or even attempt to control - an attacker’s movements completely?
To answer this, one must first understand how an attacker approaches a target.
The MITRE ATT&CK framework is one way of understanding attack tactics and techniques. Its matrices offer a way to determine what steps a particular attack might follow and outcomes it might commonly lead to as a result.
Increasingly, attacks such as ransomware are targeted and surgical.
Attackers are less interested in extracting a small ransom, and more in knowing exactly where your best stuff is. They’ll take their time and go ‘low and slow’ through the network. They may set a foothold, and leave and return a few times to gain more information. And they’ll only detonate when they are ready.
It is against the backdrop that Deception has evolved into an effective counter.
In the context of the MITRE ATT&CK framework, full fabric deception can derail an attacker’s efforts in up to 11 of the 12 steps of an initiated and escalated attack.
At this point, it is worthwhile establishing a baseline for what we mean by deception because there are many types.
Deception is not just a fancy honeypot. Security researchers first introduced honeypots in the ’80s and served as a useful function for understanding who was attacking an organisation from outside the network.
Commercial deception technology has come a very long way and encompasses several potential lures, decoys, and breadcrumbs.
Organisations may place data deceptions such as canary files amongst real documents. These fake files act like canaries once did in coal mines, providing an early warning system for gas build-up underground. Similarly, interaction with a canary file might offer enough warning to a company to check for unauthorised data access.
Another form of deception occurs on an endpoint; that is, at the periphery of the network. Such deceptions trick attackers trying to harvest credentials to advance an attack into revealing their existence. They also serve to ‘breadcrumb’ the attacker back to a central server, which can then rais an alert.
A third type of deception occurs inside the network and aims to detect attacks that bypass other security controls. This form of deception typically uses decoys designed to attract attackers during reconnaissance and lateral movement.
A fourth type of deception addresses risks to specific applications, such as Active Directory. This method involves taking an unauthorised Active Directory query and misdirecting it into a deception environment. While attack is a bit outside of what is traditionally classified as deception, it’s still about getting an attacker to do something that you want them to do, hence its inclusion here.
Deception technologies may address one or more of these areas. Full fabric deception platforms allow organisations to engage an attacker fully, gather intelligence, and then take that information and automate the incident response actions behind it.
Newer deception technologies offer organisations a greater degree of control over an attacker’s movements.
The manageability and operational burden of a modern deception platform is night and day compared to the honeypots of the ‘80s.
Honeypots required skilled workers to configure and rebuild them after an attack and to make sure attackers could not use them as a pivot point. Honeypots required significant effort to make and then keep them and attractive.
On newer platforms, machine learning profiles the environment to make the initial deception deployments less burdensome and the decoys more authentic. This capability makes it significantly less demanding for security teams to deploy and maintain the ruse. The heightened authenticity makes the decoys more believable, which allows them to blend in with the environment better, as being an obvious target can tip the attackers off that it is a decoy. The ability to dynamically deploy decoys in response to initial attacker activity on an unmonitored subnet or to make every endpoint act as a decoy to redirect attackers to the deception environment are further features that can influence attacker activity.
Deception can also now apply to on-premises as well as cloud-based environments. The architecture of deception has changed to adjust to the different attack surfaces. This development has also had a hand in making it more believable - and therefore inviting defenders to guide and control an attacker’s actions to a greater degree.