Using deception as a counter-tactic against cyber-criminals has so far met with success in our cyberwarfare against those who mean us harm. By building a house of a billion mirrors, cyber-criminals are forced to slow down their attack cycle because they have no idea which of the devices and systems that they can see are legitimate.
Something as basic as probing the wrong device can trigger a tripwire that immediately alerts the network to their presence, thereby slowing them down and exposing their tactics.
Deception helps address the two primary barriers to breach protection: (1) most security deployments aren’t really designed to address threats that have already breached perimeter defenses, and (2) there’s a growing cybersecurity skills gap that hampers the effectiveness of IT security teams. Deception does so by redirecting attackers away from actual valuable data, while exposing their presence to cyber defenders – often, without their knowledge.
One of the most effective strategies for combatting stealth attacks is generating a multiplicity of target options, most of which are landmines, and then combining them with active surveillance. This allows security professionals to engage in real-time forensic analysis by closely actively monitoring an attacker’s patterns, activities, and techniques to discover breached devices and exploited vulnerabilities, while also documenting their behavior for things like threat playbooks and counterintelligence.
Inside and Out
While deception is a powerful weapon against attacks from cyber-criminals and other malicious outsiders, it can also be used as a powerful set of tools for discovering insider threats. Many of today’s most damaging security threats are not the result of malicious outsiders breaching a network to deliver malware, but due to malicious or incompetent insiders – individuals known to the organization – who have access to sensitive data and systems.
In fact, about 60% of cyber incidents inside an organization are caused inadvertently through some form of human error. The rest, however, are malicious. In a report by Ponemon, about 38% of those malicious attacks can be traced back to an employee or contractor.
The National Counterintelligence and Security Center has declared September as the “National Insider Threat Awareness Month” to highlight how serious it considers the problem to be.
The challenge is that it can be difficult to detect when rogue employees start poking around a network for information they are not authorized to access. Deception technology is one of the most effective ways to catch them.
Next-generation deception differs from detection-based honeypots because it also includes tools such as threat analytics, as well as integration with security controls, to proactively block attacks before any real damage can be inflicted.
Countering the Counterattacks
To defeat deception and stay in business, malicious actors will need to take their tactics up a notch. One of the most important resources in the world of espionage is counterintelligence, and this will become more important than ever when attacking or defending an environment where moves are being carefully monitored.
Initially, defenders will have a distinct advantage, since they have access to levels of threat intelligence that cyber-criminals generally do not. Combining deception with threat intelligence – provided by security vendors, research-based threat feeds, and distributed learning nodes augmented with machine learning and AI – gives network defenders a clear view of the battlefield.
However, it is possible that the black hats will be able to mount a counter-offensive. Similar to how virtualization and sandboxing led to the development of sophisticated evasion techniques, attackers will need to learn to differentiate between legitimate and deceptive traffic without getting caught simply for spying on traffic patterns.
Organizations will be able to effectively counter (counter-counterintelligence) this strategy, though, by adding playbooks and AI to their deception strategies. Playbooks include specific details about cyber-criminals, malware, and attack patterns so they can identify an attack in its early stages and even anticipate and block the next move an attacker makes.
Actively monitoring live attacks caught in a deception trap will help refine the accuracy of these playbooks. They will not only help better detect criminals looking to identify legitimate traffic but also improve the effectiveness of deceptive traffic, making it more difficult to differentiate it from legitimate transactions.
Adding AI to the mix strengthens the position of defenders even further. AI will not only allows organizations to better automate tasks, but it can also enable an automated system to actively hunt for, discover, and counter attacks, not only during and after the fact, but even before they occur.
Combining machine learning with statistical analysis will allow organizations to develop customized action planning tied to AI to enhance threat detection and response. These threat playbooks could uncover underlying patterns that enable the AI system to predict an attacker's next move, forecast where the next attack is likely to occur, and even determine which threat actors are the most likely culprits.
By adding this information into an AI learning system, remote learning nodes will be able to provide advanced and proactive protection close to where a cyber event occurs, not only detecting a threat, but also proactively intervening and coordinating with other nodes to simultaneously shut down all avenues of attack without having to wait for a response from the central AI system.
Consequently, organizations ought to be able to respond to any counterintelligence efforts before they even happen, enabling them to maintain a position of superior control for the foreseeable future.
A Winning Combination
Cyber adversaries have capitalized on the security gaps caused by digital transformation, and have been evolving their methods by integrating the precursors of AI technology. This same strategy, augmented by the financial and technological advantages of an active white hat cybersecurity community, can also be used to defend those networks.
However, this will require a unified approach that is broad, integrated, and automated to enable protection and visibility across network segments as well as emerging edge environments and devices, from IoT to the cloud.
By combining integration, advanced AI, and actionable threat intelligence, organizations have a real opportunity to deploy advanced tools like deception to proactively protect against modern attacks and finally gain the upper hand against their cyber adversaries.