This document discusses 6 ways that organizations can use deception techniques to deter cyber attackers. It describes how distributed decoy systems can be used to distribute fake endpoint systems and reduce false positives. It also explains how intrusion prevention systems, next-generation firewalls, and web application firewalls can incorporate deception. Specific deception tactics covered include concealing valuable data, making infrastructure a moving target, providing false information, creating fake resources, using defensive feints, and gathering threat intelligence. The goal of these techniques is to waste attackers' time, shake their confidence, and make continued attacks difficult and time-consuming so they are abandoned.
2. 2
www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.
Sponsored by
4. 4
Source: Ponemon Institute Cost of Malware Containment Report, 2015
alerts a week are
received by the average
organization through
security controls
of these alerts are
deemed reliable
5. 5
We are gathering
unprecedented amounts
of data about threats.
This helps with security,
but also adds to the
problem of false positives. They distract companies
from dealing with legitimate
security alerts
False positives waste
time, manpower and money
we can’t afford to lose
6. 6
Source: Enterprise Management Associates “Data-Driven Security Reloaded”, 2015
More than half of 200 IT and security
administrators recently surveyed said too
many false positives are keeping them from
being confident on breach detection.
8. 8
It takes an average of
just 82 seconds before
a phishing campaign
gets its first click
70-90 percent of
malware samples are
unique to a single
organization
In 60 percent of
breaches, hackers
are getting in
within minutes
Source: Verizon 2015 Data Breach Investigations Report
11. 11
Source: Gartner, Emerging Technology Analysis: Deception Techniques &
Technologies Create Security Technology Business Opportunities, July 16, 2015
By 2018, 10 percent of large enterprises will use
deception tools and tactics, and actively participate in
deception operations against attackers.
12. These solutions distribute fake decoy endpoint systems throughout the enterprise, and offer enhanced
detection compared to more traditional solutions. Because legitimate users have no reason to interact
with decoys attacks can be rapidly identified, and false positives greatly reduced.
These systems can leverage deception to thwart malware installation by making attackers believe
the endpoint is in a virtual environment in order to throw off malware profiling processes, or by
emulating the processes of disparate anti-virus products to induce dormancy.
IPS appliances can invoke deception within TCP at the network protocol layer. Basic deception
techniques such as TCP tarpits can be used, and/or integration with more advanced deception
technology such as decoy systems can be leveraged.
Firewalls with next-generation capabilities can enhance deception in protected network zones.
Actions in specific policies can be set to “deceive”, and deception responses can be generated
either by the firewall itself, or through integration with other deception solutions.
Web Application firewalls (WAFs) and application deception solutions can help to disrupt attackers’
automation with Web and Web application deceptions, Web browser and HTTP countermeasures, as
well as the obfuscation of HTML content and application inputs to reduce attack surfaces.
Distributed
Decoy
Systems
Endpoint
Protection
Platforms
Intrusion
Prevention
Systems
Next-Generation
Firewalls
WAFs and
Application Deceptions
Solutions
14. 14
Conceal valuable data in innocuous-
looking files, and set up honeypots and
facades that divert attackers from real
assets, lead them to false intellectual
property, or cause them to trip alarms.
These techniques waste the attackers’
time, shake their confidence, and
increase their anxiety over being
caught and exposed.
15. 15
Obscure your infrastructure by making
it a moving target, changing addresses,
infrastructure topologies, and available
resources daily. Virtualization makes it
possible to build up and tear down
resources at will. Software-defined
networking (SDN) technology can
virtualize the deception process while
helping to build security management
and control features into the network
fabric. In short, take steps to prevent
attackers from seeing the same
infrastructure twice.
16. 16
Divert or confuse attackers with false
information. As highlighted under
“concealment,” you can supply the
hacker with fake successes,
responses, files, and assets to exploit.
Lie about the most basic things that
matter to an attacker: the presence of
files, and ability to open and use
them. Your system could issue false
error messages when asked to do
something suspicious, or could claim
that it can't download or open a
suspicious file when it really can.
However, it is important to remember
that any false information given must
not be easily disprovable.
17. 17
Create counterfeit resources for the
attacker to find, such as a fake website
that looks like a Web portal to a large
directory with a list of typical-sounding
files and subdirectories (all fake). The
attacker can click on subdirectory and
file names to see what appear to be
encrypted files, but the 'encryption' is
just a random number generator. A
variety of unauthorized or error
messages will persuade the intruder to
think they’ve stumbled upon valuable
information, thereby wasting their time
and drawing them away from the
information they seek.
18. 18
ENDPOINT4
IP: 193.168.20.130
Host Type: Workstation
Domain name: Dom-RU
OU: OU-489
OS Name: windows 7
Subnets: 193.168.20.0
OS Version: 6.1 (7601)
Connection Types: Windows User
6 Connections | 5 Deceptions
Decoy User Credentials
Decoy Admin Credentials
Real User Credentials
In this zooming, we see a
machine that had only 1 real
user credential and now added
5 deception user credentials in
which 2 are admin (crown).
20. 20
Use defensive feints to pretend to
succumb to one form of attack in order
to conceal a second, less-obvious
defense (this is called a nested
deception). For instance, you could
deny buffer-overflow attacks on most
ports (access points) of a computer
system with a warning message, but
pretend to allow them on a few for
which the effects of the attack are
simulated.
21. 21
Gain actionable insights and
intelligence by gathering threat
intelligence feeds and adversary
indicators that define and describe
trends, tendencies, methods, and
actions taken by attackers. This will
help you maintain an awareness of
existing and emerging threats and
achieve insight into attackers’ plans, so
your deception strategy can be
adjusted before those plans turn into
action. There are a variety of threat
intelligence services your organization
can subscribe to in order to aggregate
data and help to determine which
information is actionable.
23. Attackers don’t waste time on an attacks that won’t result in high-value
information. The use of deception techniques can uniquely position
your organization to detect and disrupt an attacker’s lateral movement,
and make it so difficult and time-consuming for them to continue that
they are likely to abandon the effort.
28. 28
Authors:
Ben Holder
Master Consultant
Forsythe Security Solutions
Shlomo Touboul
CEO
Illusive Networks www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.