While such trends are a concern, deception can actually be a good thing for cybersecurity. Security teams are increasingly using fake data to deceive cybercriminals, thus helping the team protect IT infrastructures in new and innovative ways.
The approach works because attackers usually don’t know the details of a network or have the privileges they need to steal or encrypt information. This lack of knowledge allows security teams to place false information in locations with the expectation that a criminal will access it, allowing the team to lure attackers away from critical assets and into the trap of a decoy.
By letting cybercriminals think they are getting what they’re looking for, defenders can lead them to a deception server that appears to contain the database, web server, application, or other assets that the adversaries were seeking.
Then, because the security teams have fooled the criminals into believing they have found the resources they want, they will continue their attack and hopefully reveal valuable details about themselves. The goal is to give attackers information that leads them to do what the security team wants them to do rather than what they are trying to achieve.
Making a ‘fake’ strategy work
Security teams need to take several steps to use fake information to lure and misdirect cybercriminals. The first is concealing the data, files, folders, and other assets that adversaries want so attackers can’t see them, but employees can readily access them. Along with the ability to deny access, this approach can be quite powerful. A cybercriminal cannot encrypt, erase, or steal that which they can’t find.
The second step involves strategically placing fake data that appears real within the network so that, as attackers attempt to access that data, the simulated data leads them into an environment where defenders can gather information on their tactics, techniques, and procedures.
Using fake data in this way, security teams can gather real data that will enable them to craft even more effective deceptions. Because they know more about the people attacking them, the team can better fortify their organisation’s security defences in the future.
One should remember that attackers often prioritise Active Directory assets in the hope of stealing administration-level credentials that can fascilitate their movement within an infrastructure. Placing a fake Active Directory server containing false credentials can lead to an attacker believing they have located what they were seeking. However, the moment they try to use those credentials, they generate an alert.
Simultaneously, if cybercriminals are looking for applications with known vulnerabilities to exploit, feeding them a fake application or web server when they scan the ports in question is likely to foil their plans. They may think they can utilise those vulnerabilities when, in reality, the security team is fooling them.
Adopting a strategy of planting fake data and resources within a network can be a powerful option for every size organisation. While it does not remove the need for perimeter protection, it adds a layer that can prevent cybercriminals from locating the assets they seek. Consider how you can use this strategy within your infrastructure. The result could be well worth the efforts.