In 1943, psychologist Abraham Maslow published his theory of human motivation, which turned into a consensual method to analyze a person’s needs.
Maslow’s theory describes a closed and integral system that can theoretically bring people closer to their desired bliss, and below describes a 5-step pyramid model that illustrates the building blocks of effective cyber deception. Each step serves as a basis for the next, and together they can help network defenders to successfully plan and implement deception tools and tactics.
In order to fool your opponent you must first ‘know thyself’. At the base of the pyramid sits your organization as a whole: Not just its networks, but also its general framework, business process, markets, products, and competitors. You must look at this information in order to understand which network elements are the most important for you and therefore require protection at all cost. For a retailer, this could be the payment server or the client database; for a tech company, perhaps its RCS.
Every company has its Achilles heel. After you’ve identified your most important assets, you can study the possible approach vectors that might be used by attackers: social engineering, tainted websites, software vulnerabilities, etc. This analysis will give you the basis for your cyber deception plan.
The next step is to ‘know thy enemy’. This includes an analysis of attack tools and the players who are most likely to use them against your network. Once you understand a probable attacker’s M.O. and malware, you will be able to decide which deception elements to deploy and where in your network these would be most effective.
Defense grid integration
This stage is all about the place cyber deception takes among your other defensive measures. Detecting an intruder is just the first step in mitigation; in order for your cyber deception plan to be effective, you’ll need to make sure your deception elements have full SIEM integration, that they can move malware to sandboxes, and that they can forward attack data to IPS and IDS solutions.
The decoy is a key part of your deception story: an attacker must regard it as the thing they were looking for (i.e., it needs to be something that the attacker believes will help their lateral movement or contains the coveted goods they came to steal or encrypt. In order to be relevant for the attacker, the decoy must be exploitable, but not corruptible – so that it won’t be used by your opponent to elevate their attack. Some decoys can be pwned and used to drop servers from the network or give the attacker valuable information about your defense grid.
Above the decoy sits the service – the system procedure that makes the attacker believe they have found a real target. The cyber deception service must be as authentic as possible, and must send the same network responses as a real service. It also must fit the deception story you tell the attacker (for example, a decoy sysadmin machine can run several remote interaction services). If your emulation is incomplete, attackers will detect the ruse and circumvent your deception element.
This element is located at the top of the pyramid, since it is the first part of your cyber deception plan that the attacker will encounter. Without it, you won’t be able to catch the cyber thief – and without the rest of the pyramid, the lure won’t be effective or relevant. The lure (also called a breadcrumb) is a code element that attracts the opponent by presenting them with a thread to pull – for example, a password that can be used to escalate privileges. These lures must point to your valuable assets so that your opponent won’t ignore them. If you analyzed your probable attacker’s approach vectors and objectives, you will be able to place these breadcrumbs directly in their path. The result is an effective deception network, ready to catch attackers and distribute attack data to other security tools.
These five steps can help you build the deception network you need. Remember that, just like the steps in Maslow’s pyramid, these must be maintained, revisited, and evaluated from time to time – especially after an attack, a large-scale reorganization or the discovery of a dangerous new malware.