Deception technology: Authenticity and why it matters

This article is the second in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure.

Requirements for authenticity in deception

The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that will be indistinguishable by an adversary from actual assets – including both live production and test environments. While this would seem an obvious consideration, it turns out to be quite challenging technically to build such deception in practice. Except for Attivo Networks, others will attempt to do achieve this through emulation.

The system attribute that best achieves this goal is authenticity, because once a human or automated malicious actor gains access to a planted deceptive system – whether purposefully or incidentally – no evidence should exist that a decoy or trap has been reached. It is also insufficient to suppress only obvious forms of evidence. Subtle indicators of inauthenticity often found in low-interaction, emulated environments are also unacceptable, especially in the presence of a capable adversary.

The primary functional computing requirements for achieving authenticity in deployed deception can be listed as follows:

• Interface – It goes without saying that a decoy must project an interface that every accessing entity would expect. A deceptive system, for example, should run the same operating systems, application software, and services as seen in product. It should also be able to match the network attributes seen in the environment.
• Performance – The temporal characteristics of a deceptive system must be also within the expected parameters of accessing entities. Unusually slow response times or an inability to authenticate with services like Active Directory, for example, might be a hint that a badly designed decoy has been put in place.
• Content – The accessible information for a decoy must match the expectations of the adversary. While this might include breadcrumb information, it will also include configuration and administrative data and data files that appear visible to the accessing entity.
• Access – The access parameters – including identification, authentication, and authorization – must match the expectations of the adversary. Readily accessible decoy systems that are lax in their access security or exposed vulnerabilities will be a hint that deception is in place.
• Behavior – The behavior exhibited during any interaction with a decoy must match the specific system expectations of the adversary, including the ability to be high-interaction and continue the engagement with attacker as new commands or instructions are delivered.

Depending on the specifics of the deception being deployed, there might be additional authenticity-related functional requirements, especially in cases where a decoy is being put in place to mimic a domain-specific capability. This can include decoy systems that support a sector-specific capability (e.g., a banking service) or ones that are designed for some specialized capability (e.g., IoT).

Requirements for authenticity in deception

Since many enterprise, mid-market, and government agency networks are now being enhanced to include deception to reduce risk, understanding the underlying authenticity features will assist in establishing a basis for compliance and audit. One might expect to see authenticity, for instance, increasingly cited as a demand by security assessment teams, and even regulatory compliance bodies seeking ways to reduce cyber risk more aggressively.

Extending authentic deception to a range of targets

One of the most powerful techniques in the establishment of decoys involves mirroring the production assets of a variety of different devices, systems, and their applications. A typical computing environment will involve the usual assortment of PCs, routers, switches, and other endpoints, however typically, the applications and services are unique to each environment. Providing identical decoys to production assets creates a powerful way to obfuscate the attack surface while being able to place deceptive bait to lure and detect the presence of intruders.

The principle of authenticity remains paramount in the extension of deception to different target endpoints. This is especially true for network devices such as routers, switches, Industrial Control Systems, or SCADA, where a capable adversary can detect emulated decoys quickly. The Attivo Networks team focuses considerable effort in this area to ensure, for example, that a decoy router is highly authentic on a target LAN.

Extending deception across the modern enterprise includes not only targeting a range of different computing and networking devices, but also includes the deployment of decoys to various segments or regions of the typical hybrid enterprise. Excellent candidate regions for decoy integration include the following:

• Data Center – This includes the infrastructure, servers, and elements included in the typical modern physical or virtual data center.
• Local Area Network – The enterprise LAN includes the various types of servers and endpoints that are the most commonly targeted systems for deceptive decoys.
• Cloud Workloads – The modern enterprise has already adopted hybrid cloud, or might exist entirely in the cloud; this implies that cloud workloads are good candidates for deception.
• Remote/Branch Offices – An important component of the modern enterprise remains the remote or branch office, and decoys help to reduce cyber risk in these locations.
• Specialized Networks – This includes environments with specialized devices such as IoT, Medical IoT, ICS- SCADA, POS), which are often targeted to establish a foothold into a network or compromise for financial gain, exploitation or harm to human safety.
• Third-Party Networks – The inclusion of deception requirements or recommendations during contract negotiations with third parties is a great risk reduction measure.

Extending deception across the more specialized enterprise

Since cyber adversaries now exhibit increasingly high skills, the introduction of deception to computing and networking infrastructure requires considerable attention to lower-level technical and system details. To that end, the following design considerations – all part of the Attivo Networks design methodology for its offerings – must be used to extend authentic decoy functionality to various devices:

• Operating System Integration – Decoy systems built on conventional operating systems such as Linux or Windows provide the flexibility to create dynamically authentic functionality. Obviously, for specialized systems such as IoT, the operating system selected should be commensurate with that type of system.
• Application-Level Functionality – Application-level commands, utilities, and features must work seamlessly on the decoy system, especially for routers and switches. Intruders often visit network elements during an attack campaign, so this is a powerful technique.
• Vendor-Specific Functionality – The attributes and characteristics of an environment must be embedded in the decoy to ensure authenticity. Capable adversaries will easily pick up on details of a system configuration that might not match their expected experience.

These are powerful design considerations, because they introduce a target environment where any human or automated intruder can easily connect to a variety of decoys, likely unaware of the fact that the accessed device is deceptive. As this technology deploys more commonly, the notion that such deception might be present is likely to also serve as a powerful deterrent for many intruders.

One factor organizations generally consider when looking at deception is the ease of deployment and operations. It may seem daunting to deploy deception across the network, and then manage the patching and operations. The deception environment should not be difficult to deploy enterprise-wide, nor should it require excessive resources to manage and patch.

Attivo Networks manages to simplify deployment by utilizing machine learning to profile the environment and create endpoint and network decoys and credentials that match it, automatically deploying the deception at the push of a button after review and approval. By efficiently projecting the decoys across multiple VLANs, the organization has unlimited scalability to project them anywhere in the network. Scalability is achieved by adding virtual machines and appliances together, while a central manager can conveniently aggregate data across all devices including cloud operations.

Case study in deception use during breach

Decoy systems are commonly viewed by enterprise teams as being reactive because they are placed into a network in the hopes that a future attacker will be duped into engaging with the planted trap. With Attivo Networks deception, bait with breadcrumbs will also attract and lure an attacker into engaging into a high interaction environment so that forensics can be gathered and attacks safely studied.

Such forward-looking risk reduction is attractive, not only because attack avoidance ensures that consequences are minimized in any threat environment, but also because the attack is safely contained in the decoy environment where the organization can allow the attack to play out to gather the most intelligence value. The organization can then use this information to develop threat and adversarial intelligence to strengthen their defenses and in strategies for risk management reduction.

An interesting case study, however, is the confidence many enterprise teams now place in deception during an attack. The Attivo Networks team has reported, for example, specific cases where authentic decoys are put in place in the presence of an existing and on-going breach by an adversary.

The result is that deception can be effectively deployed during all phases of the familiar cyber security lifecycle – prevention, detection, and response. Certainly, the functional goal in each phase is the same – namely, to detect the presence of an intruder via a decoy system and quickly remediate the threat. But the usefulness and implications of the deception in each phase will vary slightly for enterprise defenders. Note that one may also be able to extend the value of their current security infrastructure by leveraging native integrations to simplify and accelerate incident response through attack information sharing and automated blocking, isolation, and threat hunting.

Deception in the Cyber Security Lifecycle

During the prevention phase, decoys are used to sway an intruder from live production assets toward deceptive systems, thus avoiding undesirable consequences and the associated work associated with cleaning up the aftermath of an attacker’s foothold. During the detection phase, decoys are used to interrupt an on-going campaign with the early detection of lateral movement, reducing the attacker dwell time required to complete a successful attack and leave future backdoors. During the response phase, the goal is to collect TTPs, IOCs, and forensics for rapid remediation and for discovering intent and likely attribution. Collectively, deception technology equips organizations with valuable tools for early threat detection and accelerated incident response, but it must be authentic to successfully combat sophisticated adversaries.