Post by, Moshe Ben-Simon and Nick Palmer
When we talk to customers about deception, increasingly they see it as a fresh approach to complement their existing security investments. Organizations have begun moving from the 9:1 ratio of prevention-to-detection toward the 6:4 ratio advocated by many security thought leaders. A deception infrastructure is the best way to identify attackers’ positions and gain valuable information about their techniques, tactics, and procedures.
Gathering specific telemetry about attackers requires you to “deceive at scale.” This is a crucial point. Typically, cyber criminals’ most lucrative targets have vast infrastructures, with thousands of systems, hundreds of potentially vulnerable partner gateways, and thousands of staff that need constant education on attack vectors and digital hygiene in the face of increasingly aggressive cyber criminals.
Historically, deception solutions have not scaled well. Conventional deception mechanisms such as honey pots never really progressed past “science project” status, with challenges around licensing, maintenance, integration, and risk. Although many organizations reported good results from limited deployments, the cost-of-ownership has been prohibitively high. Similarly, limited-capability devices that have been deployed at scale on networks to detect network scans and respond to connection attempts have delivered limited information, are prone to excessive false positives, and are easily avoided by sophisticated attackers.
Deception vendors have worked hard to address these challenges. Some have succeeded, while others have not. Exploring this point requires that we understand more about the components of an enterprise-grade deception solution and what they mean to the organization operating them, and to the attackers we seek to deceive.
At the most basic level, lures or tokens are used to blanket the infrastructure. Deployed at scale, these tokens and lures are meant to permeate the network with fake assets that encourage attackers at the reconnaissance stage to move laterally. Tokens are essentially a response to the notion that advanced attackers no longer perform noisy network scans. If they do network scans at all, they avoid detection by using single-packet connect requests on well-known ports, at an extremely slow rate.
Attackers are now far more likely to concentrate on information they gather from the end point; once they’re on an endpoint, they can escalate privileges and move to other systems silently. Tokens are an incredibly valuable part of the story, but they’re only the beginning. Imagine if an attacker doesn’t follow the lures or understands that certain deception solutions use scheduled tasks to set up the lures. Scheduled tasks is one of the first ways an attacker will try to establish persistence, in which case the deception trail runs dry very quickly.
Endpoint lures can point to more conventional honey-pot devices deployed at far lower scale, but that deliver high-quality telemetry about attackers. Many solutions scale across multiple networks by equipping these higher-interaction traps with dozens of network interfaces, making them very easy to fingerprint. If an attacker performs an “ifconfig” on a machine that’s supposed to be a Windows client and sees 32 network interfaces, he will exit that system and arguably leave it cleaner than he found it. As a result, any investment you’ve made in this type of deception infrastructure is essentially wasted; sophisticated attackers understand how to fingerprint based on these conditions.
An additional layer is critical to deceiving at scale, offering a far broader attack surface and a much higher probability of engaging an attacker. This layer blankets the environment not with tokens, but with emulations of actual systems. Indistinguishable from the real thing, an emulation-based component to the solution offers attackers an interactive experience, fake data, and the ability to pass through seamlessly to a very realistic, high-interaction system that can record all attacker activity in real time. An emulation layer offers commodity IT assets and devices that represent newer vectors, including Internet-of-Things devices, medical devices, SCADA systems, and ATMs. Realistic, inter-trap traffic increases the realism to network-focused attackers.
Imagine you’re a sophisticated attacker in the early stages of a campaign. You may have already gained access to a target network through existing backdoors, or you may have purchased information about locations, naming conventions, IP addressing conventions, and device profiles. You’re well prepared, you’re committed, and you’ve established persistence on a client machine through scheduled tasks. The first thing you notice is a scheduled task on the client machine that you don’t recognize. Instead of looking to machine-resident data to evaluate lateral targets, you decide to run a low and slow-network scan to look for potential next steps or to listen to network traffic passively. Immediately, an approach relying on tokens pointing to a limited number of high interaction decoys has failed to detect you.
What will work in this scenario is a dense layer of highly sensitive emulations residing on the network and capable of detecting even a single packet interaction. Even if an attacker does interact with a token, after establishing persistence on three or four endpoints, as soon as they interact with it and are detected, they won’t touch it again. With this in mind, unless the deception solution you’re evaluating offers a “full stack” of deception technology, you may wish to reconsider.
We call our full-stack architecture “Deception in Depth™.” Our DeceptionGrid™ platform is based upon our Deception in Depth architecture, the goal of which is to match each step of a sophisticated attack with a corresponding layer of deception. TrapX Deception in Depth combines wide-ranging deception capabilities to bait, engage, and trap attackers with fake attack surfaces that closely match attacker activity. This multi-tier architecture creates a tempting environment for attackers, and they’re faced with immediate identification at every turn. Bait such as cached credentials, database connections, and network share lure attackers to medium-interaction Traps, which extend transparently through our smart-deception proxy to fullOS Traps for deepest attacker engagement and diversion. Fake network traffic between the Traps completes the illusion.
This multi-tier approach to engagement maximizes the deception surface to bait attackers, allowing TrapX to identify them quickly, determine their intentions, and gather detailed forensics and evidence. This deep visibility into malicious activity within the network can minimize or even eliminate the risk to intellectual property, IT assets, critical infrastructure, and impact on business operations.
Advanced deception technology—including emulations, high-scale decoys, high-interaction traps, deceptive data, fake network traffic, and deception tokens—is proven effective at identifying attacks-in-progress quickly and stopping attackers in their tracks. Without it, your network is needlessly vulnerable.