Six benefits of initiating a deception strategy for IT security teams
Article by Attivo Networks A/NZ regional director Jim Cook.
Faced with an ever-increasing range of sophisticated cyber threats and evolving attack surfaces, IT security teams are adopting a new line of defense: deception. They recognise that, despite there being a range of security tools and services in place, cybercriminals are still managing to bypass them and gain entry to infrastructures. Clearly, a new approach is required. That new approach is based on cyber deception.
Deception puts increased power into the hands of security teams by comprehensively protecting against attacks from both external parties and malicious insiders, accurately notifying that something is wrong, and by delivering detailed threat intelligence for prompt remediation.
Advanced teams can go so far as misdirecting attacker actions and altering feeds to attackers automated tools in order to confuse the adversary and the derail attack.
A deception strategy involves deploying decoys, lures, and bait such as fakes systems, applications, file stores, and credentials within a corporate IT infrastructure that actually have nothing to do with day-to-day activity but appear as if they do.
Because staff have no reason to access these resources, any time there is engagement, it is highly likely that the activity is a cyberattack or at a minimum a policy violation that needs investigation.
A deception strategy can be used in two different ways. Some organisations prefer to simply be alerted of an intrusion so they can quickly take steps to plug the security hole and restore operations. Others may want to take a different approach and use deception security for adversary management.
Once an intrusion is detected, they can observe how the intruder is moving around within the infrastructure and what resources they appear to be targeting. They can then examine details such as what registry keys might be changed, and which specific files are accessed and by which tools.
Data gleaned in this way can be fed back into existing tools to hunt within the network for other like infections and to continually improve effectiveness in the future.
A deception strategy is also a highly effective way to detect insider threats. Any staff accessing deceptive elements is an indication that the person is roaming in parts of the network where they have no authority.
A properly instigated deception strategy, therefore, delivers six key benefits for organisations. It will:
- Reduce the time taken to detect attacks as a flag is raised as soon as the deception assets are accessed. This gives security teams time to respond to what is going on before damage or loss occurs. This can be critical for ransomware attacks seeking to encrypt or erase shared drives.
- Trick attackers into revealing their presence within a network. As soon as they begin to move laterally and encounter any deception assets, their presence will be known. This serves as an ideal safety net for when conventional protection tools have missed the intrusion.
- Generate only high-quality, actionable alerts. IT teams can be confident that deception alerts have been triggered by a substantiated event and give them priority attention.
- Remove reliance on signature-based security techniques, allowing teams to catch even zero-day exploits before they can cause damage.
- Capture information about the type and nature of an attack that is taking place, enabling other defences to be strengthened.
- Deliver a threat intelligence dashboard that gives security teams a clear, real-time view of exactly what is occurring within their network. Integrations can also provide automation for quickly isolating the attack and blocking further action.
The constant evolution of the cyberthreat landscape shows no sign of slowing. Techniques that worked well in the past may not continue to deliver required levels of protection in the future.
A deception strategy provides businesses with another layer of protection and the ability to rapidly respond to attacks as soon as they occur. As a result, production systems and sensitive data stores can be secured against unauthorised access, reducing the likelihood of disruption and loss.
Taking the time now to put a deception-based strategy in place will reduce overall risk and safeguard against both current threats and those that are just around the corner.