Tricking the bad guys: realism and robustness are crucial to deception operations – Source: www.csoonline.com

Longtime cybersecurity practitioners might recall the early guidance manuals published by the National Security Agency (NSA) in the 1980s and 1990s known as the “Rainbow Series,” so named because each book had a different-colored cover.

Among these was the book “Understanding Covert Channel Analysis of Trusted Systems”, initially published in 1983. It is one of the earliest documents in the digital era that spelled out how to operate covertly and deceptively online without compromising system security, laying the foundation for what is now known as deception technology.

But deception technology, or methods for luring bad actors into digital traps, has come a long way since then. Modern deception technology involves dedicating some computer assets to house fabricated yet realistic and complex digital records, which makes them attractive lures for cybercriminals and other malicious actors.

For some major organizations, deception efforts could become real-world productions, complete with phony social media profiles, fake office sets, and even actors pretending to be employees, all to snooker the bad guys into a dead-end.

“Deception operations are useful to conduct, but you have to have a robust infrastructure,” threat intel hacker and former FBI computer scientist Russell Handorf said during a presentation at this year’s Shmoocon conference.

“You have to know the cadence. You have to have a lot of that other foundational stuff in play. If you do have that stuff in play and decide to run a deception operation, it is a strong signal that something hinky is going on in your infrastructure.”

Deception requires more than creating honeypots

The goal of deception technology, also known as deception techniques, operations, or tools, is to create an environment that attracts and deceives adversaries to divert them from targeting the organization’s crown jewels. Rapid7 defines deception technology as “a category of incident detection and response technology that helps security teams detect, analyze, and defend against advanced threats by enticing attackers to interact with false IT assets deployed within your network.”

Most cybersecurity professionals are familiar with the current most common application of deception technology, honeypots, which are computer systems sacrificed to attract malicious actors. But experts say honeypots are merely decoys deployed as part of what should be more overarching efforts to invite shrewd and easily angered adversaries to buy elaborate deceptions.

Companies selling honeypots “may not be thinking about what it takes to develop, enact, and roll out an actual deception operation,” Handorf said. “As I stressed, you have to know your infrastructure. You have to have a handle on your inventory, the log analysis in your case. But you also have to think that a deception operation is not a honeypot. It is more than a honeypot. It is a strategy that you have to think about and implement very decisively and with willful intent.”

Deepen Desai, CSO and head of security research at Zscaler, compares deception operations to motion detectors. “If I were to draw an analogy, you have locks, keys, and doors to protect your house from bad guys getting in. But when bad guys get in, whether they’re pretending to be the good guys or they’re already inside, it’s the motion sensors that you tactically place at spots in the house that are not easily visible but raise the alarm when someone is at a place where you don’t expect them to be.”

Realism is critical to the success of deception

A critical component of deception technology is the creation of assets that criminals and other threat actors believe are real, at least for a while, lest they quickly exit or avoid them altogether, which would render the deception operation useless. “You’re not going to be able to do it perfectly because you’re going to always leave some sort of weird footprint, a little flag,” Handorf tells CSO.

Getting the details right for highly elaborate deception operations is particularly important. Assets that appear fake, such as 1,000 computers all unrealistically built precisely the same way, “tip off the adversary that it’s not a real deception,” Handorf says. “Something about the host isn’t exactly right. It’s too symmetrical. In movies, people walk in, and they are like, ‘Wait, there’s something about this room that just doesn’t feel right. It’s way too convenient,’ and then, all the cops show up.”

Thom Langford, EMEA CTO of Rapid7, tells CSO that although his organization has succeeded in past deception operations,” it became apparent quite quickly that the more serious attackers, the more serious threat actors found out what was going on rather quickly. They realized they were dealing with deceptive technology. That immediately diminishes its value.”

Even worse, Handorf says, “Once the actor gets in and they start seeing that stuff, you could piss them off, you can make them angry, you can make them frustrated, and they may want to hurt you more.”

Desai says that threat actors caught in deception operations can, like most people, behave in various ways. “Some will exfiltrate data, remove all the traces, wipe out all the evidence, and get out of that environment. But then there are those who were unable to hit their mission objective and were like, ‘Okay, my cover is blown. Let me now destroy everything that I have access to and get out.’ So, you can end up with either.”

The desire of some threat actors to wreak havoc is why Desai recommends that organizations implement a zero-trust architecture first. “This is where you need to have the deception technology integrated with your zero-trust platform. As soon as someone gets trapped by your deception technology, you automatically isolate them from the real environment.”

Other benefits of deception operations

Aside from serving as a motion detector to alert admins of intrusions, deception operations can help gather intelligence on who the adversaries are, which is helpful information for subsequently notifying law enforcement. “The threat actor is now identified, and that can be passed on,” Handorf says. “And then their social networking, their means of communication will be illuminated at that point for future interdiction.”

Even as deception operations prove helpful to this intelligence-gathering on external adversaries, they can also help pinpoint insider threat actors. Desai says, “The more important and effective use case that I’m seeing with the large organizations I speak with is for insider threat, or these compromised assets use cases where a malicious insider is trying to poke around in your environment and getting to a destination that he doesn’t need to be to do his job.”

Moreover, establishing deception operations could fulfill some requirements under cyber insurance policies. Insurers might say, “Prove to us that you have got a handle on your environment, on your network, and the investment of a couple of thousand dollars a year to drop a couple of these boxes in is probably quite a sound investment in instances like that,” Rapid7’s Langford says.

How CISOs should approach deception technology

During his Shmoocon talk, Handorf offered his own real-world example of establishing deception technology on 40 acres of land he and his wife purchased. As it turned out, the land was overrun by squatters, illegal hunters, and other undesirable trespassers.

To tackle the problem, he created a company called the Rattlesnake Sanctuary, planted signs around his property containing QR codes for trespassers with cellphones to learn more about the sanctuary, erected a network of cameras and speakers, and studied his land to determine where and how to place these assets. His goal was to “ultimately collect as much information about the trespassers that are up there and then, when warranted, pass it on to law enforcement for them to do their job.”

However, this kind of elaborate operation writ larger on a corporate scale is reserved only for the biggest corporations, some of which go to extensive lengths in their deception techniques. “There are companies in the US that run deception operations really, really well,” Handorf says, suggesting that many of these are financial institutions with lots of international agreements.

“They create fake departments. They have fake division heads. You can fabricate a person’s face, but you don’t want to because that’s still easily discoverable. You can hire actors; you could hire other human beings if you need to go that far to play these particular roles, to come into a place, sit down and drink coffee, and follow a script of emails. A lot of this is what you would experience in a world where your adversary has a lot of deep pockets to want to get the crown jewels that you have.”

Some companies may need to outsource deception operations

But, for most organizations, this level of deception is unnecessary. “For what I would describe as mid-enterprise organizations, the majority of the time they’re trying to protect probably against ransomware as well as making sure their intellectual property doesn’t leave from one to two ways, either via an insider threat or an external adversary intentionally targeting. Infosec 101 covers the majority of that.”

“Setting up effectively fake fronts is probably for the realms of the few rather than the many,” Langford says. “It depends on what you are defending against, and it depends on what your threat profile is, what your threat surface is, and how important it is.” Langford recommends that most companies hire outside firms to run ordinary deception operations. “Most organizations probably can’t deal with it alone, and they’d have to call in folks from the outside,” he says.

Bringing in outside experts is particularly important given that ill-conceived deception operations can carry legal risks because they might accidentally cause threat actors to infiltrate other organizations or could induce employees to allege entrapment. “That is part of the problem,” Langford says.  “The risk of not doing this is high. The risk of doing this is high.”

But, he says, “That’s why I say you need to build a plan, know your scope, know what you’re going to do, know why you’re going to do it, document why you’re going to do it, document the benefits, et cetera. It’s a far easier conversation with your legal department or your general counsel or external counsel as opposed to just rocking up and saying, ‘Hey, we are going to encourage attackers to come into our network.’”