The role of deception in cyber warfare

By Hen Lamay | 3 May 2018

Whether you’re the chief information security officer (CISO) of a large enterprise with offices across the globe or the IT manager of a small enterprise, if you had a big budget, you would spend it on building and maintaining a security operations centre (SOC) to monitor every risk your enterprise might face. You would hire the best security team to operate the SOC and you would purchase the best security systems from the biggest vendors in order to protect the enterprise against various threats.

But would it help? Would you have been able to properly respond to each alert and each potential attack? Today, CISOs, IT managers and their teams are overwhelmed by expensive and complex deployments of endpoint security systems, by detailed alerts about possible attacks given by those systems and by too many false positives (F/Ps). They are unable to respond properly and in a timely manner to every alert (assuming it wasn’t another F/P that distracted them). It usually takes them days or even weeks to understand what really happened during an attack, and to fix the damages caused by it. If that seems bad, it’s probably worse.

Not just because CISOs are understaffed today and have trouble setting up teams with proper qualifications, the shortage in cyber security personnel is estimated at 3.5 million unfilled jobs by 2021. With increasing numbers of cyber-attacks, breaches and stolen data, and with decreasing numbers of suitable talent in the market, as a CISO, it might seem like a difficult situation. But all is not lost, you just have to be prepared for the threats of the future.

Today, as a CISO, you have a large selection of security solutions that can fit your enterprise. Antivirus/antimalware solutions scan the computer all the time looking for known threats. If you’re a CISO in a regulatory environment, then it’s a must have. But they mostly rely on old methodologies and you have to find other solutions to complement them.

Next-gen antimalware solutions are based on machine learning (ML) & AI, the common buzzwords in recent years. When it comes to security some believe that they’re a must have because they’re used to detect abnormality or malicious activity without signatures. Having better chances than the traditional antivirus software (which is considered obsolete in today’s cyber warfare, even according to a top executive at Symantec) but still having problems and issues when misconfigured or fed incomplete or erroneous information. But ML & AI have been rejected by top experts who are concerned about the use of machine learning in security solutions. And while remote browsing solutions let you enjoy using the internet in an isolated environment, they help prevent possible attacks that are initiated using regular browsers. The list of solutions goes on and on, making it harder for you to decide which one is better and helpful. One technology that should be considered is deception. It’s advanced, reliable and effective against unknown and sophisticated threats.

The history of deception technology begins somewhere in the 1990s with the honeypot: a basic notion that one can put a decoy on a legitimate resource inside the corporate network and monitor it for any wrongful access or use it to divert from the real target information inside the organisation.

In recent years the idea of a honeypot was used in an automated way and with scale in mind. The idea that in large enterprises it’s hard to deploy and manage many honeypots, combining them with static information that can be detected over time (by malware authors of course), resulted in network deception solutions. Usually deployed on the corporate network and creating various pieces of false information for attackers to pursue - breadcrumbs (from fake credible credentials to corporate documents and network resources) – could trigger alarms with high fidelity. That helps the CISO distinguish an F/P to a real attack in real time, and provide the tools to actively engage the threat and eliminate it.

Over the course of a few years, a new form of deception was born, only at the endpoint rather than on the network. The major difference behind the idea of endpoint deception was to thwart the attackers completely before they even managed to attack the endpoint itself, or laterally moved inside the corporate network. Today most of the malware out there is using different evasion techniques (at least ten per sample, according to 2015 research by Lastline). They try to avoid security systems and researchers by identifying their presence in the environment before they attack. Endpoint deception solutions take advantage of this in order to create a hostile or unattractive environment for malware to attack, using its own defences against it. A common example is the anti-sandbox evasion technique: mimicking an environment will likely cause a malware to terminate itself or act benign by disabling or not downloading its malicious payload since it doesn’t want to be caught by automated sandbox environments used by enterprises to detect malware entering the corporate network. Using deception-based endpoint solutions can help get better detection rates of real threats (instead of more F/Ps) in real time with automated response. They are more lightweight and easier to manage than other products, which reduces the operational burden.

Gartner research firm identified deception as one of the top security technologies in 2017 and as part of the ​top strategic technology trends for 2018. Clearly, deception becomes more the technology of choice to thwarting threats in organizations.

Deception solutions were once part of an emerging market and today they’re in the frontline of cyber warfare. They help against advanced and unknown threats, and having one increases a firm’s ability to safeguard the enterprise. It might well become an important part of the organisation’s arsenal.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development