In his timeless book “The Art of War,” Sun Tzu holds that “all warfare is based on deception.” As organizations grapple with the ever-growing threat of sophisticated cyberattacks, IT security executives are adding a new tool to their defense arsenal — cyber-deception. Cyber-deception is defined as the practice of enticing, engaging, misdirecting, and detecting attackers by distributing decoys and traps across enterprise systems to imitate legitimate assets. These decoys and traps could be anything from fake applications to misleading file storage.
When a cybercriminal attempts to compromise the trap or decoy, the attack vectors they use during the engagement will be monitored and logged. Cybersecurity teams may go as far as misdirecting the adversary’s actions and altering the data feeding into hackers’ automated tools.
Overall, the objective is to derail the onslaught and confuse the attacker. More specifically, cyber-deception has the following merits:
1. High value-to-cost ratio
With cybersecurity teams stretched thin as they struggle to contain real threats amidst the noise from multiple security tools, there is a need to maximize the return on human investment. When a cyber-deception lure triggers an intrusion alert, IT security teams have near certainty that it is a notable incident.
Any access to the traps and decoys is inherently malicious and unauthorized. Authorized users and legitimate system accounts have no reason to access the lures set up for cyber-deception. Therefore, whenever there is activity involving the decoys and traps, there is a high probability that it is either an attempted cyberattack or, at best, a policy violation by staff who ventured into areas outside their sphere of authorization. The investment in cyber-deception has a high payoff.
2. Detect insider threats
Insider threats are not just the hardest to detect but also the ones that could cause the greatest damage. Since insiders have authorized user accounts, their activity may not raise any suspicion. A deception strategy is one of the most effective means of detecting an insider attack.
Except for the cybersecurity team, other employees will not be aware of a cyber-deception strategy or the nature of the traps and decoys. Therefore, any staff accessing these elements would be exploring areas they are not authorized to.
3. Faster detection
A response is triggered as soon as a deception asset has been breached. This gives security teams more than enough time to quickly react to what is happening before any actual loss or damage occurs. Such rapid detection proves especially critical when ransomware attacks are involved. They could allow the adoption of remedial measures before the malware has erased or encrypted enterprise systems.
4. Entice attackers into exposing themselves
Whenever a major hacking incident makes the news, later investigation often reveals that the attack commenced months before it was eventually detected. Cybercriminals prefer to operate under the radar for as long as possible. This gives them adequate time to extract a large volume of information undetected.
Cyber-deception techniques trick hackers into disclosing their presence on the network. Such early exposure can substantially diminish the impact of the attack. Conventional protection tools would otherwise miss the intrusion or identify it when the damage has already been done.
5. Actionable alerts due to fewer false positives
One of the biggest challenges cybersecurity systems face is a flood of false positives. In their effort to ensure nothing falls through the cracks, security teams may configure control systems to flag a wide array of events. Unfortunately, a sizable proportion of the alerts could be false positives.
The deluge of false positives overwhelms security teams, slows decision-making, and delays the time it takes to respond to a legitimate threat. The nature of cyber-deception, however, means alerts are precise and actionable. Cybersecurity teams would understand that the alert was triggered by a significant incident and therefore dedicated time and resources to the necessary response.
6. Reduce dependence on signature-based controls
Signature-based controls have to rely on identifying patterns of suspicious behavior within the network. While these can be effective against known malware and hacking attacks, they are severely constrained in tackling new, undiscovered threats.
Cyber-deception eliminates the need for organizations to rely on signature-based controls. They can tackle zero-day exploits well before they have exacted damage to your systems and data.
7. Intelligence gathering
A deception strategy may be applied in one of two ways. The first is as a warning system that alerts IT security teams of intrusion. Teams can act fast to close loopholes and ensure smooth operations.
The second is using deception as a means of adversary management. IT security teams observe how the attacker moves and the resources they appear to be most interested in. This information is fed into existing security tools and used to examine the rest of the network for similar activity with a view to neutralizing them.
8. Customized solution
To appear real to an attacker, the deception solution has to conform to your organization’s cloud and network environment. It should change to blend in with the systems and infrastructure within which it lies.
Such customization is difficult to realize with conventional security tools. Often a seasoned attacker will recognize the signs of a known cybersecurity system and adopt a different technique for intrusion.
Cyber-deception could be the new normal
The constantly evolving IT security threat landscape means the methods that may have been effective a decade ago may be woefully inadequate in safeguarding digital assets today. Militaries have long known the power of using deception to trap and defeat their foes.
A cyber-deception strategy gives organizations a new layer of defense and enhances their ability to respond to an attack in a timely fashion. With that, businesses can better protect their infrastructure against disruption, loss, and unauthorized access. A deception-based strategy can shield the organization from both established threats as well as those have not been seen before.
Featured image: Shutterstock
