sb-au logo
Story image

Altering the actions of an attacker

25 Jun 2020

Cyber deception is being added to more defensive toolkits for the simple reason that it works, writes Attivo Networks A/NZ regional director Jim Cook.

There’s a trend in cyber defence to ‘fight fire with fire,’ and to do this, you must come equipped with knowledge of not only yourself but also that of your enemy to control the outcomes.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle,” says Sun Tsu.

At a foundational level, companies have invited ethical hackers inside as security consultants and pen testers to gain knowledge and insight into the way an attacker could breach their organisation. 

We’ve also seen the rise of proactive cybersecurity techniques such as threat hunting, where companies now research potential attackers in much the same way an attacker might research the company as a potential target.

A third vector in gaining adversary knowledge is deception.  In a cybersecurity context, defenders are now employing deception tools, techniques, and strategies, once considered the domain of attackers for outwitting and manipulating their prey, in the fight against them.

Deception and other forms of psychological trickery are components common to many successful attacks.

“One of the biggest secrets of the security world is that over 90% of cyber attacks are … someone knowing how to get you to hand over the keys, and then simply gaining access,”  researchers from Kellogg University wrote in 2015. Even six years later and after endless cyber awareness training sessions, this statement and situation still ring true.

The researchers stated that criminals might try to trick victims into handing over bits of information, or they might launch dummy attacks to mask the actual one. Once inside, they might pretend to be a legitimate user to trick others into handing over information that allows them to escalate their attack.

Given the imbalance of power that an adversary has in using deception, why would defenders not all be using this technology? Possibly, it’s because we’ve always learned that deception is bad: that you don’t deceive people and that you play fair. But attackers don’t play fair, and a lot of their success comes from using deception as a way to trick people into making mistakes and giving up their credentials, computer access, or other information. 

So if one party uses deception to their advantage, they shouldn’t be surprised to find deception employed against them.

On the receiving end

Most of us know what it’s like to be deceived by a person or perhaps even an organisation. But what does encountering cyber deception do to the mindstate of an attacker?

There are multiple layers to this.

A lot of what we know about attackers isn’t from them directly but rather from red teams proxying for an attacker. But what they tell us is that if they believe there is - or have encountered - deception in an environment, they tend to move more slowly.

You can see this illustrated in a recent first-person account of an academic experiment, which tested the psychological impact of knowing cyber deception may be present, and the extent to which that alters behaviour and confidence. 

“The idea of deception on the network was meant to lead and control the actions of an attacker. The primary benefit is early detection, however there are many benefits in applying deception to an attacker. First, they may or may not know they are being manipulated as they falsely believe they are advancing their attack. Once they realize they were discovered, they will slow down and begin second guess every step to look for reality or deception,” a CISO said.

“I sat for eight hours running down rabbit holes only to find one completely void virtual machine after another. I then sat for an hour of psychological tests asking if I felt frustrated or misled or if my confidence was in question.

“The next day was more of exactly the same.

“While I can’t truly establish my own personal baseline, I feel certain deception ruined any chance of success for me.”

Modern deception techniques and environments are multi-layered and convincing. Some technologies are also able to safely engage an attacker, keeping them busy in an ultimately useless endeavour.

An often overlooked aspect of using deception is that, while attackers engage with the decoys, defenders can record their activities and develop intelligence from what they observe, such as the vulnerabilities and exploits they see the attackers using.  What’s more, this intelligence is specific to the organization, making it immediately valuable for strengthening their defenses against the activities that attackers are currently using against them and preparing for subsequent attacks.  

Will this be frustrating to them if and when they realise that defenders have been deceiving them? Potentially, but they may not even fully understand whether they fell for the deception or not. They may try to retrace their steps to uncover the mistake they made along the way to be detected, but they may or may not ever find out. Either way, they will have to slow down, restart their attacks, and ultimately incur more costs as they have to adjust their tactics, techniques, and procedures.

Cyber deception definitely makes a criminal’s work harder. 

It increases their costs, because now they have to be a lot more careful to avoid tipping a target off to their presence, and they also have to validate every stage of the attack. And - importantly - that changes the economics of an attack.