Post by Nick Palmer, Sales Engineer.
I read the recent Times article that the United States had paid nearly half a billion dollars to a UK firm for fake Al-Qaeda propaganda with interest. Apparently Bell Pottinger used embedded code connected to Google Analytics to track the IPs of people watching the distributed content, with the intention of passing their details on to defense agencies. It made me think again about Deception as a part of a legitimate Cyber Security strategy. Sun Tzu himself counselled to ‘appear weak when you are strong, and strong when you are weak,’ and it is often said that in warfare, fake sonar signals will be employed by the navy, fake radar by the air force and fake intelligence by ground troops. Why are we not using it more comprehensively in Cyber warfare? With the criminals continuing to breach even the most heavily invested and security-controlled infrastructures and vulnerabilities appearing in solutions that only five years ago were considered impenetrable, clearly a different approach is required.
Cyber adversaries spend their lives and careers seeking to misrepresent, confuse and deceive end users and organisations. What is a Ransomware-embedded Spearphish if not a complete lie? The APT that hits your firewall with a DDoS attack to distract the internal teams while customer data is quietly being siphoned off via a back door? All deception. Indeed, the hackers and their backers are arguably already more conversant with Deception than any army ever was, simply because it’s in their DNA. Suspending moral judgements for a moment, when your sole goal is monetisable content and you’re effectively operating a campaign remotely, then the more you can confuse your potential target, the better. This is where Deception as a legitimate corporate strategy comes in. An attacker landing on your infrastructure will most likely have an end in mind, and will have procured intelligence about your network from an array of existing sources. He may have knowledge of your naming conventions, IP ranges and even information about your standard desktop build. Once he establishes a foothold, escalated privileges and lateral movement will be a primary aim. What if the machine he landed on was liberally populated with fake information about the infrastructure? Fake host files entries, network shares, ODBC connections, browser histories, SSH sessions. What if all of these led back to highly convincing but utterly fake IT assets that looked and felt like your desktop or server fleet, but which alerted as soon as they were touched? What if they were populated with the sort of content that you know attackers will be interested in, but which was of no value at all, save to slow down the attackers campaign? What if, in interacting with these fake assets, the attacker triggered an agentless capture from the compromised machine he had landed on, revealing the Indicators of Compromise that allowed you to close the gap that he had exploited?
A Deception-based approach to security relies on a measure of pragmatism – both from the business and from the technology teams. If the information on your network has value on the black market, then someone will be eyeing it with interest. With such rich publicly available sources of information on YOUR employees (LinkedIn, Facebook, Instagram), it’s only a matter of time before they socially engineer one of your staff and establish a foothold on your network. When they do, a Deception infrastructure will significantly slow them down and more importantly, give you the advance warning necessary to respond and minimize the impact.