In cybersecurity, deception is redundant if it cannot fulfill its critical aim – to misdirect, confuse, and lure attackers into traps and dead-ends. It is the art of tricking attackers into overextending and exposing themselves. To deceive attackers, an organization’s security team must see things from the adversary’s perspective.
Several key components are required to carry this out: full visibility, establishing context, understanding the intent of attackers, and then engineering action to increase the cost and complexity of their attack. A key goal of deception is to alter the organization’s attack surface to confuse and mis-direct adversary campaign objectives.
The first step in doing this is to understand the organization’s cyber terrain, or corporate footprint. To do this, organizations should not only focus on protecting their most valuable assets with standard means (e.g. intrusion prevention/detection systems), but anything that is likely to be targeted, inclusive of switching and routing fabrics.
In order to understand what is likely to be targeted, security teams must know how the adversary is looking at the terrain. Adversary campaigns typically focus on the goal of building terrain maps in order to learn about network routes and how traffic moves within an organization.
Information is gleaned using time as a key asset. Enterprises that appear static, i.e. very little diversity in how they appear in the adversary’s eyes, offer the advantage and gift of time to determine weaknesses, vulnerabilities, and iterative improved understanding of the vulnerable terrain (i.e. attack surface).
Tracking enemy movements
Understanding how the adversary sees the enterprise fabric is fundamental to defending it. Excluding instances of insider threats, attackers will often begin their advance by initiating a reconnaissance attack from internet ‘grey space’ – or unattributable areas of cyberspace – and then attempt to enter through a weaker ingress point like a poorly monitored border.
As the adversary moves into the border, they will begin a search for essential information, considering open ports, protocols, IP space, DNS, and other exploitable vulnerabilities. This is part of building their terrain map that will be constantly referenced, updated, and refined as more information of the enterprise becomes clear.
As attackers approach their intended target – whether that be endpoints, ERP, or financial systems – they will typically devise an avenue of approach to get to an asset. This could be an exploitation plan for hosts that are one or two hops from their intended victim in hopes of obfuscating their movements.
Adversary sophistication is often marked by the ability to avoid detection at all costs. “Low and slow” movement becomes a trademark of more sophisticated actors to reduce detection of their lateral movement. Their movements will often be camouflaged within the common traffic profiles that they have learned by watching the enterprise over time. Cyber hunt teams work to know how an adversary is moving laterally, north or south. These movements can then be projected against the current terrain constraints and topography.
Probable attack activity, such as command-and-control servers (C2) or points of ingress and egress , are more likely to be realized in certain parts of the network. Understanding the communication paths through hosts and enterprise resources is critical to understanding an adversary’s potential movement. A probability of compromise based on the placement of these assets within the network can be attributed based on both the understanding of terrain and communications paths. This understanding informs and influences current and future cyber posture, through recommending sensor placement to improve and enhance visibility.
One of the most effective approaches in a network defense strategy is to harmonize data at rest, such as securing endpoints, and data in transit, such as the network sensor. This allows for deeper and wider visibility across an enterprise, further supporting additional protections in the form of the deployment of decoys in key locations. Efforts such as these can introduce complications into hacking campaigns, thereby shifting the costs of an attack back to the adversary.
As information is gathered relating to these paths of communication, to include unknown protocols and user behaviors, terrain-based analysis uses this data to act as a force multiplier. As a result, security teams can gain multiple different perspectives that ask many questions. For example, can the security team construct a view where it can look at what needs to be seen from a visibility standpoint? What assets are vulnerable, where do they lie and do potential paths for exfil, ingress, and C2 exist in proximity to these assets?
With complete visibility of the corporate footprint, including the content, organizations can construct a complete picture (including the cyber terrain), as well as intelligence that grants the ability to discern indicators of compromise (IoC) and what a known, or unknown, tactic-technique-procedure (TTP) could be.
Deception denies attackers a static target
To defend the cyber terrain, this relies on a simple concept called moving target defense (MTD). This is the belief that it’s more difficult to hit a moving target than a static one. Attackers become suspicious when they encounter abnormal terrain that is dynamic and not static. If nothing is done to change the perception of an organization’s terrain across different dimensions – such as time or topology – the attacker is essentially provided with a static target.
If the target remains static, attackers can leverage the advantage of time to study and learn about communication paths and optimal techniques for exploitation and compromise. An effective approach to defensible architecture centers on the ability to move or hide the target by changing the perception of the attack surface from the adversarial perspective.
With deception-based cybersecurity, it reduces the overall percentage of exploitable terrain, or in other words, the attack surface available to an attacker. Decreasing the amount of exploitable terrain is the obvious way to do this, however it is far more effective for organizations that work with a static environment than those that work in a non-static environment. Further, reduction of exploitable terrain may be a non-starter in the face of support of legacy applications that cannot be patched.
Another way to deceive attackers is to increase the amount of unexploitable terrain. Deploying decoys that are similar to what is already on the network will increase the volume of unexploitable terrain, thereby lowering the overall percentage of exploitable terrain. As a result, the attacker looks for unexploitable terrain in the form of candidate ‘crown jewel’ devices – such as ERP, server, finance, database, HR, un-patchable custom hosts, and other resources – and will run into decoys mimicking their targets. This can frustrate the attacker and introduce anxiety, advantageously manipulating their perspective.
Breadcrumbs can be placed on these decoys to create a deepening allure, or what is called decoy affinity, enticing adversaries to connect to them.
Ensuring good cybersecurity can be achieved through gaining full visibility of the corporate footprint, which allows a security team to establish context and understand the intent and strategy of attackers, subsequently engineering action to increase the cost and complexity of their attack as a deterrent. Through this understanding of how the adversary sees the corporate environment (also called the ‘Red’ picture), their movements can be tracked across existing knowledge of cyber terrain to predict attacks and better prepare against them.
This understanding grants the ability to move or hide the attacker’s target by changing the attack surface from the adversarial perspective and they will continue run into decoys mimicking their targets. Ultimately, a comprehensive knowledge and understanding of the corporate footprint can be utilized as an effective form of defense against malicious actors and attackers.