Before putting any malicious plans into action, sophisticated cyber-criminals will gather a substantial amount of information about the networks they intend to breach, such as the current location, network structure, nature of the assets, the target destination and other characteristics. This is so that they can focus their attack on only the most lucrative assets and ensure that they can convincingly disguise their activity until they have completed their mission. Security professionals can deal with these skilled attackers by increasing the “knowledge gap,” or the distance between what attackers think they know about the network and reality – this is best done through various deception techniques.
“Knowledge gap” is a phenomenon observed by researchers where the attacker's knowledge – or lack of thereof – gives a clear indication that they are not regular users within the environment. For example, “spray and pray” behaviours are often seen where attackers are shooting haphazardly across the network to try and find clues, or valuable pieces of information. Patterns like this demonstrate the lack of knowledge certain attackers have of their environment, because the noise it creates is a clear indication that they are not known users. Security professionals can ensure that the intel that the attackers are likely to collect reflects their actual environments as little as possible – making it more arduous for cyber-criminals to reach valuable assets.
Increasing the knowledge gap of attackers and understanding where they go to gather their intel is a powerful capability for security professionals as it allows them to strategically deploy their deception components. Deception is effective as it is a proactive defence measure that can confuse cyber-criminals during the earliest stages of an attack, while also acting as a means of detection. To be more specific, there are three main deception techniques that security professionals can use to increase an attacker's knowledge gap and, therefore, decrease the risk of an organisation's valuable assets being compromised:
Honeypots are computer security mechanisms that are set to detect, deflect, or, in some manner, counteract attempts at unauthorised use of information systems. Deploying honeypots is one of the oldest forms of deception, wherein desirable fake data is placed as isolated decoys that are monitored for any suspicious activity. Once an undesirable agent reaches a honeypot, the security system can alert defenders and trigger a response, without there ever being any actual data at risk.
In more general terms, a decoy is simply a fake asset resembling a workstation, server, service, laptop, router, switch, mobile device or any other computer component. While legacy honeypot mechanisms can include decoys, recent developments in the sophistication of decoys has meant that they are sometimes described as next-generation honeypots. Modern decoys are not just placed manually around a network but are, in fact, both generated and deployed automatically based on discovery data – making it even harder for attackers to discern them from actual assets.
Breadcrumbs, also known as traps or mini-traps, are clues for a potential attacker that an intelligent deception platform intentionally leaves behind on organisational systems. When an attacker accesses documents, emails or other data contained in these kinds of breadcrumbs, they are directed toward decoys and away from protected systems. This has the effect of both increasing the attacker's activity footprint and thwarting them in their attempts to locate sensitive information.
While breadcrumbs come in many shapes, emails containing fake links and login information have proven to be one of the most effective methods to deceive attackers. While emails are easy to read, they are still used extensively to transmit sensitive data from one person to another. In other words, emails are often high on an attacker's reconnaissance list because of the sensitive data they all-too-often contain. This affords emails a high degree of credibility (with attackers) and makes them excellent deception breadcrumbs.
As it becomes increasingly unrealistic to stop cyber-criminals from entering a network, widening the knowledge gap of cyber-criminals becomes critical. Contemporary cyber-security measures will increasingly aim to control the information that can be accessed as a malicious actor enters the network, and deception techniques will have an important role to play to that end.
Contributed by Andrew Bushby, UK director at Fidelis Cybersecurity.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.