Rethinking deception as a cybersecurity tool
Deception is a commonly used strategy in warfare deployed with the intent of causing one’s enemy to make mistakes. Deception is an active and proactive defense measure that can make one stronger than is actually the case based on available resources. Time continues to demonstrate that reactive cybersecurity is an insufficient defense plan, and as a result many security teams are seeking ways to be more proactive in their network defense. Deception technologies and techniques are evolving and finding their way into the mainstream cybersecurity battle.
Organizations that have yet to adopt deception strategies and tactics cite complexity and the inability to correlate deception with a demonstrably stronger cyber defense. For those reluctant to consider deception, the topic tends to conjure-up images of 1980’s-type honeypots. The value of the information gathered from engaging and studying threats which feed a ‘big data’ pool is simply far too complex to decipher and expensive to act on for many organizations.
One particular CISO recently summarized their reticence towards deception solutions as follows, “We are constantly fighting to stay ahead and don’t have time to get cute with attackers. Amplifying established detection solutions without the ability to easily act on alerts may not be the best use of our team’s time.”
This paper will demonstrate a simple and reliable way to leverage deception to solve critical cybersecurity problems.
ATTACK CYCLES AND DOMAINS OF DECEPTION
Network based deception keeps pace with evolving threats
According to Gartner, the primary domains of deception include: network interior, network perimeter, endpoint, application and data.1 To-date, the primary domains of deception for most deception solution providers are at the endpoint and application layers but this limits the potential impact of deception earlier in the kill chain. Deception at the network layer has the ability to provide a clear path to hitting threats head-on and solving meaningful security problems. Network based deception is an underserved area that can create an effective way to detect attacks in progress during reconnaissance and block entry.
Stopping threats early requires injecting deception at the perimeter to start deceiving threats during reconnaissance scans. This is extremely effective in a dynamic defense approach because attackers initiate the assault process ‘blind’ to network terrain, but they shift their attack plans based on their discoveries at the perimeter. Over time their attempts and persistence pays off, and they gain access with unrelenting scans including but not limited to; high volume floods, low and slow scans, probes, attack dry-runs, socially engineered data, distractions and other techniques that distract administrators, gauge capabilities, identify service limits and ultimately wear away at static perimeters not deploying deceptive techniques.
Attackers use myriad methods to gain knowledge of a targeted network in an attempt to uncover services such as VPN, WEB, FTP, VOIP & SSH to name a few. An overview of common attack patterns and methods include:
- Network scans. The first step is network discovery. The attacker uses automated methods and “bot” networks to scan for available services.1
- Service probes. Once the attacker identifies the available services, they begin probing those services for any available opportunities.
- Can be slow and methodical so as not to raise alarms on the targeted network
- Can be launched from many sources around the world
- Flooding. Once the attacker understands the capabilities and available services, they can launch flooding attacks to distract and/or cripple the service. Armies of mail servers might be pointed at a network to flood mailboxes with malware and links to infected websites. Once infected, the protected systems can call back to command and control centers for further instructions.
- Botnet deployment. In order to be more effective, botnets might be deployed with specific purposes. These botnets lessen the chance for discovery and improve the results of their malicious efforts.
- Scan bots. These perform continuous scans of the internet seeking responses.
- Probe bots. Once scan bots uncover responses probing bots go in search of more detailed information on the newly discovered services.
- Flood bots. Flooding bots are frequently used to distract an attack victim’s resources
Bot resources are frequently used in unison to provide the best opportunity for success. Bot networks can grow and shrink, and change from country to country. While attacker resources are frequently discovered, said resources constantly replenish their ranks with newly-infected systems.
Regardless of how the attacker method, all things must come through the network layer and at the network layer there is less complexity, and the space is easier managed. In PacketViper dynamic defense can be enabled at the network layer with point & click simplicity. Decoys and decoy responses are configured to continuously changing themselves to never provide a continuous, easily mapped path to your data. Deception needs to start before the attacker infiltrates.
DIFFERENT APPROACHES TO DECEPTION
Interior – East/West
Deception has been around for some time now, and some of the tools used in the beginning were honeypots, but as attackers got smarter these became easier to detect. Deceptive honeypots have traditionally been used for detection. To combat these discovery techniques, a new wave of intelligence has emerged that has repurposed honeypots with more sophistication. These enhanced technologies and techniques include centralized management, phony files, shares, routers, switching user ID’s, redirection, and lures to lead attackers to a poisoned well with the intent to understand how they execute their attacks.
Many of the deception focused platforms are focused primarily on internal East/West traffic with forensics and analysis capabilities. Some have APIs with select perimeter firewalls. While these systems can provide value, they often require large footprints such as physical workstations and virtual machines that may include deception within Active Directory, DNS, file servers, and the like.
A risk in executing this type of deception plan lies in the understanding that these environments are in constant update mode, and that they are extremely complex and administratively challenging. In short, they ‘cry wolf’ with frequency and do little to truly eliminate overwhelming SIEM and alert burdens.
The internal systems tend to carry a high total cost to operate, depending on the scope of the deployment, complexity, and available expertise. In most cases businesses of all sizes who seek to be more proactive in deploying deception rarely have the investment dollars, time, or resources to maintain and manage these systems. Lastly, it is less compelling and arguably insufficient to limit deception to studying and preventing attackers that have already infiltrated a network.
Perimeter – North/South
Perimeter deception offers great potential to strengthen network defense and make networks harder to detect. Traditional perimeter defense approaches deploy little deception and are heavily reliant upon signature and reputation data.
Deception at the perimeter can proactively flush out an attacker’s assets and kill the desired attack vector. PacketViper does this at the perimeter by mimicking applications response during the attacker’s most vulnerable time, the reconnaissance stage of the attack. PacketViper not only identifies and blocks their assets in real-time, but it pushes back by poisoning those public services that help attackers find vectors into your environment.
Using common sense techniques, and with point & click simplicity, PacketViper can rotate the deceptive perimeter based on a variety of factors including time, geo-target, business, protocol, or port to further confuse the attackers plans, while at the same time blocking each new probe source in real-time. Effective deception at the perimeter can also eliminate the attacker’s advantage of anonymity through proxy.
Bringing deception to the perimeter offers significant benefits including harvesting new threat intelligence and adapting perimeter defenses in real-time to utilize the new intelligence gained. It can be a game changer.
AGENTLESS, LIGHTWEIGHT INTERIOR AND PERIMETER DECEPTION
Advanced, dynamic deception technology is a unique approach to cyber security that has changed the security paradigm towards more proactive cyber defense. PacketViper can easily deploy believable, target-rich deception layers at the perimeter and the interior of the networks to lure and ultimately defeat attackers. These decoys and sensors are not services that can be exploited for use against the host; rather they perform a brief interaction and generate a quick reaction.
PacketViper offers a simpler and more reliable way of rapidly deploying deception to all corners of the network that do not require in-depth knowledge of attacker behavior methodologies. Unique characteristics of this approach include:
- Agentless, lightweight blend of perimeter and interior deception • Rapid deployment
- Maintained perimeter presence
- No added complexity
- Reduction of perimeter noise, logging and alerting
- Reduction of security burdens on firewalls and spam filters from unwanted traffic
- Ability to gain new threat intelligence at both the perimeter and interior
- Detection, alert, containment and mitigation
Current deception solutions are predominantly deployed for East/West visibility and may not begin to function until the perimeter has been breached. The PacketViper deceptive practices engage at the onset of the attack cycle when the network scans and service probes commence.
|Other deception solutions
|Interior focus (East/West)
||Perimeter and Interior (North/South/East/West)
|Complex deployments with agents and workstations
||Lightweight, easily deployed, agentless and no workstations
|Difficult to scale
||Easily scaled across an enterprise
||Threat intelligence harvested at interior and perimeter
|Risk of exploited services
||Nothing to detect, no risk of exploited services
Deception in all directions
PacketViper offers the best level of deception saturation to provide a 360-degree view of interior and exterior threats. It cleverly eliminates the need to deploy complex and impractical fictitious environments. The PacketViper deception technology works in all directions (North, South, East and West) and is enacted by creating a Virtual Minefield ZoneTM (VMZ) at the network perimeter, and within the protected LAN. The VMZ creates an artificial but attractive attack surface and is not reliant upon predetermined attack signatures, and acts as an extremely effective and efficient intelligence gathering and filtering tool.
As illustrated in the diagram below, PacketViper can deploy a target-rich deception layer to lure attackers. PacketViper decoys and sensors are not services that can be exploited then used against the customer; rather, they perform a brief interaction, and provide an immediate reaction. Other types of sensors can remain silent and wait for specific rates, times, and ports. PacketViper’s approach is to not lead attackers through a deception field in order to detect and then understand their approach or pattern; instead, the technology captures the attacker while they blindly “feel around” the target customer network. By quickly extending a cable from PacketViper into specific IP ranges in the environment, users can blend the decoy and sensor into that network area of responsibility. Because PacketViper maintains perimeter presence in the deceptive deployment, once an internal threat is detected the technology will automatically contain the threat and alert the appropriate personnel as defined in the corresponding response rule action.
Using already available resources, users can accommodate and deceive attackers when they perform reconnaissance searches from either side of the firewall. Adding a few records to DNS, Active Directory, and or WINS servers can further complicate and drive attackers to decoys and sensors once they perform look-ups on those services.
PacketViper deception is deployed by extending a wire from a PacketViper deception port into any public or protected network segment, thereby providing immediate visibility and control capability of both perimeter and interior networks. With a focus on the reconnaissance phase of attacks, PacketViper Virtual Minefield Zones (VMZs) and interior decoys, redirectors, and sensors provide the sought-after levels of control and visibility into networks.
Internal networks rely heavily on end point protection, network segmentation, or packet sniffing devices that bulk dump data into databases, SIEM’s or other expensive repositories. The connecting points between these sites are generally relaxed routers and firewall; meaning a firewall configured for trusted networks is different than perimeter firewalls. What has always been challenging is everything else, or the space between the devices. This “space between” is generally either discarded, over looked, not understood, or funneled in bulk to a SIEM. Given that the SIEM has a tremendous burden already means that making sense of everything in-between is especially difficult to manage or understand.
PacketViper allows organizations of all sizes to easily deploy deception anywhere in their environments, in all directions, knowing that their deceptive efforts will not only improve visibility and control, but also produce impactful, results. Typical deception driven use cases include:
||Vendor Risk Management
- Injecting deception at the perimeter and rotating sensors make networks hard to detect
- Perimeter facing agentless deception against recon/NMAP scans
- Internal agentless deception of lateral moving threats
- Automatically apply new threat intelligence
- Believable deception uncovers and applies threat intelligence in real time, stopping attackers in their tracks
- Up to 70% reduction in IP traffic • Firewall life extension
- SIEM optimization
- Reduced logs and alerts
- Deceive vendors while on network
- Continuous and real-time behavior monitoring
- Automated responses and actions
- Varied responses based on violation and vendor criticality
Limited deception deployments equate to limited results
Deception efforts are only as effective as the scope of the deception deployment – said differently, limited deception deployments equate to limited results. More deception is better, but with legacy methods and interior only technologies, the results of the deception efforts can fall short and require excessive costs, maintenance and support.
PacketViper’s lightweight deception approach reaches all corners of the enterprise network and is not constrained by the limits of legacy solutions or limited to only interior, east-west deceptive efforts. With agentless, lightweight deployment, PacketViper can be easily and cost-effectively deployed across a global enterprise or within a modest-sized organization and deliver heavyweight results.
Using PacketViper automated, dynamic deception technologies, can be spread throughout an enterprise and help solve critical cybersecurity problems. Organizations of all sizes can present a stronger and deeper defense posture. Once an attack is detected and trapped by a decoy or sensor, automated mitigation and defense adjustments engage. The corresponding intelligence gained by detecting the threat is harvested, filtering rules are updated across the enterprise, and the perimeter posture is modified so the next wave of threats encounter a different set of protocols at the perimeter.
Advanced and automated cybersecurity deception provides several unique benefits when deployed:
- Agentless blend of perimeter/interior deception monitoring, alerting, mitigation and containment • Perimeter defense with Bi-directional Geo-Targeting of Country, Company, Network, and IP
- Unique actionable and applied threat intelligence
- Enterprise-wide synchronized defense and mitigation
- Forensics and analytics