Cyber Matters: The Art of Deception

By Rob Sloan, cybersecurity research director, WSJ Pro

The prevailing view among cybersecurity professionals is that the compromise of network security is inevitable. The latest data from Mandiant, the incident response unit of FireEye Inc., suggests attackers have free reign on networks for an average of around six months before they are detected. This window of opportunity, ‘dwell time’, is when the damage is done.

To mitigate damage, companies must seek to shorten the gap between compromise and detection. This is the space where companies specializing in deception technologies operate.

Deception technologies aim to slow the attacker’s progress and lure them to reveal their presence on the network. This can include the use of decoy devices that mimic file-servers or email-servers, for example. They signal an attacker’s presence when interacted with because there is no legitimate reason for any activity on those devices. These assets can be adapted in real-time to tie up attacker resources and collect information about tools and techniques, to better understand the adversary.

There are some prerequisites to deploying deception technology. It is essential that organizations have the basics covered and are able to deal with the majority of low-level attacks before they implement a new tool that aims primarily to defend against more sophisticated threat actors. In this respect, deception solutions are simply another layer of an organization’s defense-in-depth strategy.

“You don’t need to be breached if you have an effective strategy”

“Cybersecurity is not a technology problem, it’s a strategic problem,” said Bob Jamieson, chief information security officer at Mallinckrodt Pharmaceuticals LLC. “You don’t need to be breached if you have an effective strategy,” continued Mr. Jamieson, one of the minority who rejects the commonly held belief that compromise is inevitable.

“Organizations need a strategy that looks at what the attackers are seeking to achieve and then act to deploy appropriate people, processes and technology to defend against that threat,” said Mr. Jamieson.

To that end, Mr. Jamieson has deployed deception technologies on the company’s network and has been impressed with the results, in particular the ability to move attackers away from the real environment and into the fake environment where they can be observed and are unable to do any damage.

“There are things you can do that allow you to get active in the prevention of attackers getting into your systems,” said Mr. Jamieson. “You can witness their behavior, harvest their IP addresses and make sure they are blacklisted, and build up your own intelligence function.”

To date, none of the attackers redirected to the fake environment have realized they were not interacting with real devices, he said. “Attackers never expect to get attacked back. They think of this as a free range,” said Mr. Jamieson.

The need for yet another layer of security has come about not because existing security solutions are unfit for purpose, but because networks and attackers have evolved. In particular, the marked increase in the amount of encrypted traffic inside networks means many of the traditional ‘packet sniffing’ security solutions that analyze the contents of internet traffic are no longer as effective as they once were.

Dealing with Information Overload

“Security and privacy have led us to encrypt more traffic, but also allows bad guys to hide,” said John McCormack, CEO of Fidelis Security Inc., whose company has developed a deception solution. Mr. McCormack describes the technology as “a tripwire inside your network that helps reduce the time between an adversary getting in and the time you discover them.”

Mr. McCormack argues deception solutions should not add to the workload of security teams: “Today they are faced with an overload of information and they can’t figure out what the real threats are from the false positives. Properly deployed deception technology can have zero false positives.” Acknowledging this is a bold statement, Mr. McCormack adds: “Nobody should ever touch the decoys. If somebody touches them, either it’s a misconfiguration or you’ve got something interesting to look at. Regardless, you need to investigate.”

Deception solutions are not yet fully mature and will not be appropriate for all organizations. However, for organizations with good protections already in place, this is another option worth considering to harden defenses.

**********

Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.