{"id":1640,"date":"2025-01-24T06:00:00","date_gmt":"2025-01-24T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1640"},"modified":"2025-01-24T06:00:00","modified_gmt":"2025-01-24T06:00:00","slug":"tricking-the-bad-guys-realism-and-robustness-are-crucial-to-deception-operations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1640","title":{"rendered":"Tricking the bad guys: realism and robustness are crucial to deception operations"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Longtime cybersecurity practitioners might recall the early guidance manuals published by the National Security Agency (NSA) in the 1980s and 1990s known as the \u201cRainbow Series<\/a>,\u201d so named because each book had a different-colored cover.<\/p>\n

Among these was the book<\/a> \u201cUnderstanding Covert Channel Analysis of Trusted Systems\u201d,<\/em> initially published in 1983. It is one of the earliest documents in the digital era that spelled out how to operate covertly and deceptively online without compromising system security, laying the foundation for what is now known as deception technology.<\/p>\n

But deception technology, or methods for luring bad actors into digital traps, has come a long way since then. Modern deception technology involves dedicating some computer assets to house fabricated yet realistic and complex digital records, which makes them attractive lures for cybercriminals and other malicious actors.<\/p>\n

For some major organizations, deception efforts could become real-world productions, complete with phony social media profiles, fake office sets, and even actors pretending to be employees, all to snooker the bad guys into a dead-end.<\/p>\n

\u201cDeception operations are useful to conduct, but you have to have a robust infrastructure,\u201d threat intel hacker and former FBI computer scientist Russell Handorf said<\/a> during a presentation at this year\u2019s Shmoocon conference.<\/p>\n

\u201cYou have to know the cadence. You have to have a lot of that other foundational stuff in play. If you do have that stuff in play and decide to run a deception operation, it is a strong signal that something hinky is going on in your infrastructure.\u201d<\/p>\n

Deception requires more than creating honeypots<\/h2>\n

The goal of deception technology, also known as deception techniques, operations, or tools, is to create an environment that attracts and deceives adversaries to divert them from targeting the organization\u2019s crown jewels. Rapid7 defines<\/a> deception technology as \u201ca category of incident detection and response technology that helps security teams detect, analyze, and defend against advanced threats by enticing attackers to interact with false IT assets deployed within your network.\u201d<\/p>\n

Most cybersecurity professionals are familiar with the current most common application of deception technology, honeypots<\/a>, which are computer systems sacrificed to attract malicious actors. But experts say honeypots are merely decoys deployed as part of what should be more overarching efforts to invite shrewd and easily angered adversaries to buy elaborate deceptions.<\/p>\n

Companies selling honeypots \u201cmay not be thinking about what it takes to develop, enact, and roll out an actual deception operation,\u201d Handorf said. \u201cAs I stressed, you have to know your infrastructure. You have to have a handle on your inventory, the log analysis in your case. But you also have to think that a deception operation is not a honeypot. It is more than a honeypot. It is a strategy that you have to think about and implement very decisively and with willful intent.\u201d<\/p>\n

Deepen Desai, CSO and head of security research at Zscaler, compares deception operations to motion detectors. \u201cIf I were to draw an analogy, you have locks, keys, and doors to protect your house from bad guys getting in. But when bad guys get in, whether they\u2019re pretending to be the good guys or they\u2019re already inside, it\u2019s the motion sensors that you tactically place at spots in the house that are not easily visible but raise the alarm when someone is at a place where you don\u2019t expect them to be.\u201d<\/p>\n

Realism is critical to the success of deception<\/h2>\n

A critical component of deception technology is the creation of assets that criminals and other threat actors believe are real, at least for a while, lest they quickly exit or avoid them altogether, which would render the deception operation useless. \u201cYou\u2019re not going to be able to do it perfectly because you\u2019re going to always leave some sort of weird footprint, a little flag,\u201d Handorf tells CSO.<\/p>\n

Getting the details right for highly elaborate deception operations is particularly important. Assets that appear fake, such as 1,000 computers all unrealistically built precisely the same way, \u201ctip off the adversary that it\u2019s not a real deception,\u201d Handorf says. \u201cSomething about the host isn\u2019t exactly right. It\u2019s too symmetrical. In movies, people walk in, and they are like, \u2018Wait, there\u2019s something about this room that just doesn\u2019t feel right. It\u2019s way too convenient,\u2019 and then, all the cops show up.\u201d<\/p>\n

Thom Langford, EMEA CTO of Rapid7, tells CSO that although his organization has succeeded in past deception operations,\u201d it became apparent quite quickly that the more serious attackers, the more serious threat actors found out what was going on rather quickly. They realized they were dealing with deceptive technology. That immediately diminishes its value.\u201d<\/p>\n

Even worse, Handorf says, \u201cOnce the actor gets in and they start seeing that stuff, you could piss them off, you can make them angry, you can make them frustrated, and they may want to hurt you more.\u201d<\/p>\n

Desai says that threat actors caught in deception operations can, like most people, behave in various ways. \u201cSome will exfiltrate data, remove all the traces, wipe out all the evidence, and get out of that environment. But then there are those who were unable to hit their mission objective and were like, \u2018Okay, my cover is blown. Let me now destroy everything that I have access to and get out.\u2019 So, you can end up with either.\u201d<\/p>\n

The desire of some threat actors to wreak havoc is why Desai recommends that organizations implement a zero-trust architecture first. \u201cThis is where you need to have the deception technology integrated with your zero-trust platform. As soon as someone gets trapped by your deception technology, you automatically isolate them from the real environment.\u201d<\/p>\n

Other benefits of deception operations<\/h2>\n

Aside from serving as a motion detector to alert admins of intrusions, deception operations can help gather intelligence on who the adversaries are, which is helpful information for subsequently notifying law enforcement. \u201cThe threat actor is now identified, and that can be passed on,\u201d Handorf says. \u201cAnd then their social networking, their means of communication will be illuminated at that point for future interdiction.\u201d<\/p>\n

Even as deception operations prove helpful to this intelligence-gathering on external adversaries, they can also help pinpoint insider threat actors. Desai says, \u201cThe more important and effective use case that I\u2019m seeing with the large organizations I speak with is for insider threat, or these compromised assets use cases where a malicious insider is trying to poke around in your environment and getting to a destination that he doesn\u2019t need to be to do his job.\u201d<\/p>\n

Moreover, establishing deception operations could fulfill some requirements under cyber insurance policies. Insurers might say, \u201cProve to us that you have got a handle on your environment, on your network, and the investment of a couple of thousand dollars a year to drop a couple of these boxes in is probably quite a sound investment in instances like that,\u201d Rapid7\u2019s Langford says.<\/p>\n

How CISOs should approach deception technology<\/h2>\n

During his Shmoocon talk, Handorf offered his own real-world example of establishing deception technology on 40 acres of land he and his wife purchased. As it turned out, the land was overrun by squatters, illegal hunters, and other undesirable trespassers.<\/p>\n

To tackle the problem, he created a company called the Rattlesnake Sanctuary, planted signs around his property containing QR codes for trespassers with cellphones to learn more about the sanctuary, erected a network of cameras and speakers, and studied his land to determine where and how to place these assets. His goal was to \u201cultimately collect as much information about the trespassers that are up there and then, when warranted, pass it on to law enforcement for them to do their job.\u201d<\/p>\n

However, this kind of elaborate operation writ larger on a corporate scale is reserved only for the biggest corporations, some of which go to extensive lengths in their deception techniques. \u201cThere are companies in the US that run deception operations really, really well,\u201d Handorf says, suggesting that many of these are financial institutions with lots of international agreements.<\/p>\n

\u201cThey create fake departments. They have fake division heads. You can fabricate a person\u2019s face, but you don\u2019t want to because that\u2019s still easily discoverable. You can hire actors; you could hire other human beings if you need to go that far to play these particular roles, to come into a place, sit down and drink coffee, and follow a script of emails. A lot of this is what you would experience in a world where your adversary has a lot of deep pockets to want to get the crown jewels that you have.\u201d<\/p>\n

Some companies may need to outsource deception operations<\/h2>\n

But, for most organizations, this level of deception is unnecessary. \u201cFor what I would describe as mid-enterprise organizations, the majority of the time they\u2019re trying to protect probably against ransomware as well as making sure their intellectual property doesn\u2019t leave from one to two ways, either via an insider threat or an external adversary intentionally targeting. Infosec 101 covers the majority of that.\u201d<\/p>\n

\u201cSetting up effectively fake fronts is probably for the realms of the few rather than the many,\u201d Langford says. \u201cIt depends on what you are defending against, and it depends on what your threat profile is, what your threat surface is, and how important it is.\u201d Langford recommends that most companies hire outside firms to run ordinary deception operations. \u201cMost organizations probably can\u2019t deal with it alone, and they\u2019d have to call in folks from the outside,\u201d he says.<\/p>\n

Bringing in outside experts is particularly important given that ill-conceived deception operations can carry legal risks because they might accidentally cause threat actors to infiltrate other organizations or could induce employees to allege entrapment. \u201cThat is part of the problem,\u201d Langford says. \u00a0\u201cThe risk of not doing this is high. The risk of doing this is high.\u201d<\/p>\n

But, he says, \u201cThat\u2019s why I say you need to build a plan, know your scope, know what you\u2019re going to do, know why you\u2019re going to do it, document why you\u2019re going to do it, document the benefits, et cetera. It\u2019s a far easier conversation with your legal department or your general counsel or external counsel as opposed to just rocking up and saying, \u2018Hey, we are going to encourage attackers to come into our network.’\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Longtime cybersecurity practitioners might recall the early guidance manuals published by the National Security Agency (NSA) in the 1980s and 1990s known as the \u201cRainbow Series,\u201d so named because each book had a different-colored cover. Among these was the book \u201cUnderstanding Covert Channel Analysis of Trusted Systems\u201d, initially published in 1983. It is one of […]<\/p>\n","protected":false},"author":0,"featured_media":1641,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1640"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1640"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1641"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}