Deception technology and breach anticipation strategies
Cybersecurity is undergoing a paradigm shift. Previously, defenses were built on the assumption of keeping adversaries out; now, strategies are formed with the idea that they might already be within the network. This modern approach has given rise to advanced methods prioritizing rapid detection, immediate response, and efficient recovery, introducing concepts like the “attacker mindset” and leveraging deception technology.
In this Help Net Security interview, Xavier Bellekens, CEO of Lupovis, explains how the implementation of deception-as-a-service offers an extra layer of defense, aiding both the CISO and their team with early warning indicators of potential breaches.
How does assuming that an adversary has already established a presence within a network influence the development of cybersecurity strategies?
Assuming an adversary is already within the network influences cybersecurity strategies to prioritize rapid detection, immediate response, and efficient recovery. This approach promotes continuous monitoring, anomaly detection, and incident readiness, but also require efficiency.
Adopting an “attacker mindset” is the evolution of this approach. By emulating the tactics of adversaries, we can anticipate their strategies, challenge our defenses, and proactively address security gaps. This dual approach of breach anticipation and thinking like an attacker results in a more dynamic and robust strategy.
Deception technology further strengthens both paradigms. It uses decoys, traps, and misinformation to detect efficiently with a very low false positive and divert intruders, providing early warning of a breach and disrupting the adversary’s operations, but also learning about the mindset. Thus, deception becomes a powerful tool in this continuous cycle of anticipating, detecting, and responding to ever evolving cyber threats.
What are some ways CISOs can use deception to protect an organization’s sensitive data and high-value intellectual property? How does this strategy aid in luring attackers away from valuable assets?
The main strategies aim at making the adversary believe they’re making progress while leading them further from real assets. Hence, deception strategies can be tailored according to different goals and adversaries, whether they aim to obtain Tactics, Techniques, and Procedures (TTPs), or to enable true positives early alert for the Security Operations Center (SOC).
If the goal is to learn about the TTPs of the adversaries, the strategy will be to employ highly interactive decoys that can be used to lure attackers into spending more time interacting with the systems. This offers the SOC and the CTI team more opportunity to observe and understand the adversary’s methods.
On the other hand, if the goal is to enable early alert detection, breadcrumbs and low hanging fruit decoys might be deployed at choke points and lead to crown jewels lures.
In both cases, their activation signifies abnormal activity, triggering immediate alerts in the SOC. The deployment of decoys types and breadcrumbs may differ, but the fundamental concept remains the same: deception is a psychological game aimed at luring and confusing the adversary and gain the upper hand. The objective is to mislead attackers, waste their resources, and collect intelligence or create time for response.
Modern deception technology has evolved significantly and can be deployed rapidly, often within minutes. It provides an additional layer of defense that assists both the CISO and their team by offering early warning signs of a potential breach. This immediate alert capability allows for faster decision-making and response.
Depending on the maturity and goals of the organisation, different deception strategies will involve the deployment of deceptive services, lures, networks, fake environments, or even creating a digital twin architecture.
Long gone are the days where deception was a fortune 500 solution. These days, any security team, small, medium or large, can use deception to their advantage.
Historically, financial services organizations have focused more on protecting against outsider threats. Since insider threats are also a significant concern, how can these organizations change their approach to cybersecurity?
The financial and other sectors have been akin to building castles, with robust walls built to fend off external threats. But as the adage goes, we’ve spent years building castle walls only to realize that insider threats have the keys to the vault room.
While traditionally the focus has been on external threats, insider threats have been on the rise. These threats, coming from trusted insiders with legitimate access and, present a unique challenge.
This is where deception technology comes into play. Deception doesn’t distinguish between an insider threat or an outsider threat. Its key strength lies in the assumption that any interaction with the deception system is considered malicious, as it’s not meant to be accessed by legitimate users. Thus, it serves as an effective early warning system for any unauthorized access, irrespective of the source.
The advantage of modern deception technology such as deception-as-a-service as the for objective its adaptability and ease of deployment. It can be swiftly set up both inside and outside the network perimeter, adding a valuable layer of security without causing an increase in false positives. Furthermore, it can be easily integrated with zero-trust or defence in depth paradigm.
Any part of a financial system, from ATM networks to SWIFT system, can be replicated with deception. This allows organizations to lure potential attackers, be they insiders or outsiders, away from real assets and into controlled, observable environments.
The versatility of deception makes it applicable in all sectors and across all networks, offering a dynamic solution to lure an evolving threat landscape. By integrating deception technology into their cybersecurity strategies, organizations can pivot from merely guarding the castle walls to vigilantly monitoring both the castle grounds and the vault room within.
How are security solutions evolving to address the growing threat landscape amid the digital transformation of manufacturing processes? How are these measures helping protect the sector from industrial espionage, state-sponsored attacks, and ransomware attacks?
In manufacturing, any disruption can have a costly impact. Fortunately, decoys can be deployed across the operational environments, including the internet DMZ, Enterprise Zone, and SCADA networks, following the Purdue model.
The beauty of deception technology is its versatility. Different adversaries have different skills and interests, and decoys can be tailored to various types of threats. From Advanced Persistent Threats (APTs) to industrial espionage and ransomware groups.
Decoys are designed to be attractive targets for adversaries and can take various forms, such as a fake patent database, confidential emails, or even physical decoys like mobile phones and laptops to tackle threats like the “evil maid” attack or PLCs.
Specifically, for ransomware, numerous decoys can be employed to detect and distract attackers, buying valuable time for response. This is particularly vital given the rising trend of double ransom attacks, where data is exfiltrated before deploying the ransomware. By utilizing deceptive traps, organizations can both protect their operations and make the adversaries’ tasks more challenging.
What role does “increasing the attacker’s cost” play in cybersecurity? How can security teams implement this effectively?
Deception technology is a key tool to increase an attacker’s cost. It creates decoy systems and data that lead attackers away from real assets, wasting their time and resources.
Another trend that’s boosting the strategy of “increasing the attacker’s cost” is the convergence of deception with Automated Moving Target Defense (AMTD). Within this approach deception constantly changes the attack surface, making it harder for adversaries to navigate the system or gain a foothold. With deception, any progress the attacker believes they’re making is actually leading them deeper into the trap.
In the past, deception was challenging to set up and deploy. However, with the emergence of Deception as a Service, this process has become significantly faster and easier. Now, security teams can implement deceptive environments at scale within minutes, and automate the AMTD aspect of deception, enhancing their defensive / offensive and active capabilities without draining resources.
By implementing deception-as-a-service, security teams can make attacking their systems a costly and frustrating for any adversary and keep the upper hand.