IT Focus Area: Security
June 13, 2016
6 Ways to Deceive Cyber Attackers
“Never attempt to win by force what can be won by deception,” said notorious Italian political philosopher Niccolo Machiavelli.
The statement — taken from a 16th-century treatise on maintaining political power — could be a mantra for today’s cyber attackers.
Deploying tactics such as social engineering to lure people into clicking on weaponized links and attachments, they are using deception to set up communication between target systems and command and control servers, siphoning off valuable data with targeted attacks that can take months or years to detect.
The communications paths they use can be convoluted and involve numerous parties, such as internet service providers (ISPs), phone companies, and third-party systems used as proxies. Their tactics are so successful that it can be difficult to determine if an attack is coming directly from the hackers themselves — from a computer that they control — or from a “zombie” computer they’ve taken over that belongs to an unknowing victim.
The Stakes Are High
According to Gemalto's Breach Level Index, 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86 percent over 2015. And Verizon's 2016 Data Breach Investigations Report found that in 93 percent of cases where data was stolen, systems were compromised in minutes or less. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred — and it was typically customers or law enforcement that sounded the alarm, not their own security measures.
Traditional prevention and detection methods are being bypassed, and many organizations either don’t know what to do, or don’t have the right resources in place to advance their security.
To keep up with highly skilled and aggressive attackers, we have to move beyond the predictable patterns of network security and static defenses that our cyber adversaries are well-attuned to. The bad guys are getting faster and faster; it has become a question of “when”, not “if” you will be compromised. Assume that attackers have gotten inside, and will do so again.
The continued theft of business-sensitive data could result in the inability of companies to compete in the global marketplace. Cyber security is a matter of survival, and proactively fighting off intruders has become a business imperative. But if we cannot keep them out, and the law prevents us from launching retaliatory counterstrikes in an effort to take back our data and stop breaches at their source, how can we protect critical information assets?
Fight Fire with Fire
In coordination with traditional and advanced security controls, and a diligent approach to basics such as software patching, user identity management, and network management to reduce available attack surfaces, the use of deception can be invaluable.
Gartner predicts that by 2018, 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.*
We can use our enemies’ most valuable tool against them and deploy defensive deception methods to detect hackers and make it more difficult, time consuming, and cost prohibitive for them to attack. With the right tactics, security professionals can make cyber attackers feel like they have successfully hacked, when in reality they’ve fallen into a trap.
Military planners throughout history have used deception to great effect. We can take a cue from what is arguably the greatest deception operation in the history of conventional warfare — the World War II D-Day invasion of Normandy, France.
Operation Bodyguard was the code name given to a well-designed deception plot that guaranteed the success of the Allied landings in Normandy on June 6, 1944.
The goal of the operation was to mislead the Germans about the time and place of the invasion. It worked so well that the German high command was oblivious to the early stages of the attack. Erwin Rommel — the German General Hitler had placed in charge of fortifying the coast of France against any invasion by the Allies — was back in Germany celebrating his wife’s birthday when the invasion began.
In fact, Hitler was so reluctant to disbelieve the false intelligence he’d been given that even after the invasion began, he deferred moving reinforcements to the area for over a month. By that time, the Allies had gained such a strong foothold in continental Europe that it was too late. Operation Bodyguard marked the beginning of the end for the Third Reich.
The success of the mission relied on deceptive tactics that can be applied to cyber-security efforts today: concealment, camouflage, disinformation, displays/ruses, feints and insights.
The Allies concealed their intent with misdirection, convincing the Germans that the attack on Normandy was only a feint or demonstration for the real invasion that was to occur elsewhere. This caused the Germans to waste valuable time waiting for an attack that never took place.
Conceal valuable data in innocuous-looking files, and set up honeypots and facades that divert attackers from real assets, lead them to false intellectual property, or cause them to trip alarms. These techniques waste the attackers’ time, shake their confidence, and increase their anxiety over being caught and exposed.
The Allies obscured real artillery under fake supply trucks and other structures that appeared to be either useless or badly camouflaged dummies.
Obscure your infrastructure by making it a moving target, changing addresses, infrastructure topologies, and available resources daily. Virtualization makes it possible to build up and tear down resources at will. Software-defined networking (SDN) technology can virtualize the deception process while helping to build security management and control features into the network fabric. In short, take steps to prevent attackers from seeing the same infrastructure twice.
The Germans were made to believe a fictitious British Fourth Army was based in Edinburgh and a fake First United States Army Group, under General George S. Patton, was stationed in the South of England in preparation for attacks on Norway and Pas de Calais. This diverted the Germans’ attention away from Normandy.
Divert or confuse attackers with false information. As highlighted under “concealment,” you can supply the hacker with fake successes, responses, files, and assets to exploit. Lie about the most basic things that matter to an attacker: the presence of files, and ability to open and use them. Your system could issue false error messages when asked to do something suspicious, or could claim that it can't download or open a suspicious file when it really can. However, it is important to remember that any false information given must not be easily disprovable.
Inflatable tanks, wooden planes and trucks, and specially painted ships placed in areas the Allies wanted Hitler to believe an invasion was imminent were used to deceive enemy reconnaissance planes. Fake radio communications and information provided by double agents to the Germans added to the deception.
Create counterfeit resources for the attacker to find, such as a fake website that looks like a Web portal to a large directory with a list of typical-sounding files and subdirectories (all fake). The attacker can click on subdirectory and file names to see what appear to be encrypted files, but the 'encryption' is just a random number generator. A variety of unauthorized or error messages will persuade the intruder to think they’ve stumbled upon valuable information, thereby wasting their time and drawing them away from the information they seek.
Generate fake system responses to report back to the attacker for confirmation of effort. For example, if a known virus is planted, the deception could simulate the effects of the virus and lead the attacker to believe that the attack has been successful. The virus would then be removed without the knowledge of the attacker.
Distributed decoy systems can help by spreading the appearance of endpoints and servers throughout the range of IP addresses being used by the company, and setting alluring traps such as fake credentials for accounts on decoy machines. These systems offer the benefit of low false positives (legitimate users have no reason to be in contact with decoys), and because they are in-line, they take up very little bandwidth. When a decoy is breached, the security team can choose to let the attacker continue while they watch, which aids in the development of intelligence about specific attack vectors, and attackers' ultimate goals.
Through the use of double agents, the Allies convinced the Germans that any invasion of Normandy would be a feint — a diversion from a larger attack that would take place elsewhere. They pointed to an Allied invasion of Crete, the Greek mainland or the Balkans on the days before the actual assault on Normandy, and to an ultimate attack on Pas de Calais.
Use defensive feints to pretend to succumb to one form of attack in order to conceal a second, less-obvious defense (this is called a nested deception). For instance, you could deny buffer-overflow attacks on most ports (access points) of a computer system with a warning message, but pretend to allow them on a few for which the effects of the attack are simulated.
The Allies played on Hitler’s personal obsessions and biases. He was convinced that the Allies would attempt a major assault through Greece and the Adriatic, because the Axis nations in that area were vacillating in their loyalty to him. The 22-mile strait opposite Calais was also of intense personal interest to him, because it was where he believed a cross-channel invasion was most likely.
Gain actionable insights and intelligence by gathering threat intelligence feeds and adversary indicators that define and describe trends, tendencies, methods, and actions taken by attackers. This will help you maintain an awareness of existing and emerging threats and achieve insight into attackers’ plans, so your deception strategy can be adjusted before those plans turn into action. There are a variety of threat intelligence services your organization can subscribe to in order to aggregate data and help to determine which information is actionable. Some are specific to industry verticals, specific to one manufacturer, open to third-party integration, and others offer automation tools. Each offers different levels of relevance and context. As organizations continue to ramp up their threat intelligence capabilities, the effectiveness of intelligence-led deceptions will increase.
Detect & Disrupt
According to a recent report from FireEye, more than half of data breaches are detected by an external party such as the FBI. The reported attacker dwell time is 320 days — nearly a year— for those incidents. However, organizations who successfully detect intrusions internally typically experience a dwell time of less than 56 days.
The use of defensive deception techniques can uniquely position your organization to detect an attacker’s lateral movement early, and divert it before critical data is accessed or damaged.
Developing a Strategy
However, just as a single mistake can destroy a magician’s illusion, a misstep during an effort to mislead cyber attackers can derail all of your efforts, and put your data at risk. The more mature your organization’s security practices are, the easier it will be to incorporate deception into your strategy. All forms of defensive deception must be carried out with precision using intrusion-detection methods to minimize damage to legitimate users, and avoid business disruptions.
Find out how to secure your cloud data. Get your guide to building a secure cloud strategy.
Companies without the resources and capabilities to launch this type of initiative may find it best to partner with a vendor-independent firm that has experience in all aspects of IT infrastructure and security. Professional services such as security program and architecture assessments are an important step in evaluating overall risk, and can help to develop a deception strategy that considers the entire life cycle of an attack (i.e. the kill chain), and incorporates a variety of tools and techniques that operate across networks, endpoints, applications, and data.
Organizations have been using honeypots for years in an effort to improve the detection of attacks; while honeypots have been criticized in the past for requiring a significant level of administration and maintenance, today’s honeypots offer greater automation and enterprise-class features.
Over the past few years, new deception technology has emerged that facilitates the broadening of deception capabilities from simple detection to attack diversion, and even prevention. Several solutions that facilitate deception are highlighted below; vendor-independent product testing can help to determine which are best suited to the organization’s environment and business goals.
The End Justifies the Means
During a speech given in 1943 Winston Churchill said, "In wartime, truth is so precious that she should always be attended by a bodyguard of lies." It is how Operation Bodyguard earned its name, and it applies to cyber security today. Security teams are at war with increasingly capable enemies; we cannot stop cybercriminals and state-sponsored agents from breaching our perimeters and targeting our data. But with a multi-layered approach to security that incorporates deception we can misdirect maliciously driven attackers and either trick them into believing they have achieved their goals, or make their efforts so arduous and expensive that they will move on to easier targets. While the use of offensive deception may be difficult to justify from an ethical perspective, when it comes to defending data in today’s threat landscape, the end justifies the means.
Secure your data. Get your guide to developing a secure cloud strategy.