It’s time to turn the tables on the threat actors and give them a taste of their own medicine. These defensive platforms use the bad guy’s favorite weapon against them: deception.
Some cyberattacks happen in a very short time. For example, someone receives a phishing email. They don’t recognize it as a cyberattack. They try to open the malicious attachment. The attachment contains a small downloader program that installs itself on their computer. Living up to its name, the downloader retrieves the actual malware from the threat actor’s server and installs it. The downloaded malware may be ransomware, adware, a cryptojacker, a remote access trojan (RAT), or any other malicious software that will benefit the threat actor at the victim’s expense.
By contrast, cyberattacks that involve infiltration are not quick, automated events. They’re multi-phased processes. The initial infection might be a RAT delivered by a phishing email, but that’s when the threat actors’ work actually begins. The RAT can be used by the threat actor to connect to a compromised network at their will, as many times as they like. It’s their own private backdoor.
At their leisure, they can navigate carefully through your network, observing events, monitoring activity, and figuring out things like where your backups are stored. The end game might still be a ransomware attack. But if the victim organization is sufficiently valuable, it pays for the threat actors to take the time to make sure their malware can access all parts of the network, including the backups. They want the maximum spread of infection.
Perhaps they are not planning a ransomware attack. But whatever their intention, when the threat actors access your network they are strangers in a strange land. They don’t know your network topology, segmentation, server names, backup software, and so on. To obtain that information they need to map out your network by snooping, observing, and doing the work to figure out what’s what. This is called moving laterally through the network. It is done to map the network, as part of privilege escalation, and to find high-value assets and targets.
Deception technologies make that lateral movement difficult, if not impossible. They detect when someone is trying to feel their way through your network, and send alerts to notify staff.
This is how deception technologies operate.
Decoys and Honeypots
A deception platform deploys fake network assets that look like real devices to the threat actor as they explore your network. They are convincing decoys that respond as though the threat actor were probing or investigating a real device. But because no one should be interacting with the decoy assets any activity on them is suspicious and likely to be malicious.
You can liken a deception platform to a sort of “motion detector” for your network. If someone is dabbling in an area they shouldn’t—whether a threat actor or a nosy, snooping employee—they’ll be caught in the act.
One of the advantages of deception platforms is that they detect activity. They don’t need to have a database of malware or other signatures updated, and they can’t be caught out by zero-day threats. They don’t suffer from false positives. If it detects activity on a deception asset, something is going on that you need to look at.
The deception assets may impersonate:
- File servers
- Point of sale (POS) equipment
- Automated teller machines (ATMs)
- Internet of Things (IoT) devices
- Industrial sensors and controllers
A deception system will allow you to choose what type of deception assets you want to install, but it is usually easier to allow the deception platform to examine your network and auto-populate it with phantom assets of the type commonly found on a network of your type. Some deception platform providers offer a service to create a deception asset to your specification, to mimic a particular type of device that you want to have deployed on your network. That means you can have decoy versions of every type of real device on your network.
Deception systems can create and monitor non-device decoys and honeypots too, such as configuration files, log files, and documents that would be of interest to a threat actor who was trying to understand your network. As soon as one of these decoys is viewed, deleted, or copied an alert is raised.
Subtle clues, known as breadcrumbs, can be left in the network to point to phantom high-value assets. This is done to lead threat actors away from real devices and to steer them towards what appear to be prime targets.
An intrusion detection system (IDS) tries to detect malicious activity by analyzing network traffic on your actual network. A deception platform tries to steer the malicious activity off your genuine network and into the phantom zone.
Phantom Devices, Phantom Traffic
Surprisingly, the deception assets don’t put any strain on your network, nor flood it with traffic. They’re not actually on your network like a real device until someone tries to interact with them. They’re virtual devices residing within a device farm or deception farm inside a virtualized environment that can be on-premise or in the cloud. The deception system fabricates evidence of the existence of the deception assets on the genuine network.
To make the deception assets look as real as possible, decoy network traffic is created and even fake user activity. As soon as anyone tries to interact with a deception asset it is brought to life in milliseconds—fully spun up in the deception farm—so that it presents real-world responses and actions to the threat actor while alerts are raised to the support staff.
As far as the infiltrator is aware, they are dealing with a genuine server, ATM, medical device, or some other bona fide networked device.
Deception assets can be created that actually contain a full operating system. These controlled environments are used to allow the threat actor to carry out their malicious actions while recording and monitoring those actions to better understand their intentions. This information can be used to better prevent their recurrence.
As well as raising alerts, the deception platform may invoke other responses. It can sandbox the deception asset so that any injected threats such as malware are contained. It can quarantine phantom servers, or it may expire the authentication credentials for the account that the threat actor is using.
Aimed At Enterprises
Deception platforms sit most comfortably in the enterprise-scale network. Enterprise networks are big enough to require careful mapping by the threat actor, and can most convincingly contain many—even thousands—of phantom devices. If a threat actor sees the network of a small business is disproportionally populated with networked devices they may suspect a deception platform is in play. Larger networks naturally camouflage the extra devices.
Threat actors are aware of deception platforms which is why the deception assets must be replicated so accurately and convincingly and must react with seemingly real-world responses.
Of course, you should still do all you can to prevent the threat attacker from gaining access to your network. But if they do manage to get inside, you need to have something that will detect their presence and contain their actions. And if it steers them away from genuine assets and onto phantom assets, so much the better.