As software supply chain attacks increase, cybersecurity talent wanes, and alert fatigue leads to burnout, an always-on, defense-first mentality will no longer suffice. While many defense strategies aim for zero incidents across an entire network, it’s time to reevaluate that thinking. Take a page out of the bad actors’ book by implementing new strategies that ensure fast detection and intelligence collection.
Enter cyber deception. Cyber deception is a proactive cyber defense methodology that, when executed well, puts the defender in the driver’s seat. It enables defenders to lead the attacker and gather intelligence about the adversary’s tools, methods, and behaviors via a system of honeypots, lures, tripwires, and much more. It is a strategy that cyber professionals deploy to gain the upper hand in operations against attackers, decreasing dwell time, obtaining valuable cyber threat intel, and mitigating data loss.
However, people oftentimes have a hard time grasping how cyber deception is going to assist them. The word “deception” has a negative connotation, making cyber professionals unclear about how effective it can really be. But organizations must accept that the cyber process is quickly shifting to be more proactive. Playing catch-up is no longer an option.
Understanding who benefits most from cyber deception, knowing the skill sets and technologies that must be applied throughout, and learning how organizations can successfully deploy this defense mechanism are crucial steps to getting started.
Who Benefits Most
The most frequently asked question is who will benefit from cyber deception — and who won’t. When it comes to knowing whether your organization is up for the task, first consider your environment. If you have existing cybersecurity solutions, such as endpoint detection and response (EDR) and security operations centers (SOCs), systems that require high-fidelity alerting, or robust threat intelligence capabilities that can conduct analysis, produce reports, and shape public security postures, you’re a good candidate.
However, deception will never be an effective solution for a team that does not have the resources to address alerts in a timely manner. It is meant to give the defenders an opening by producing high-fidelity alerts on top of existing solutions; without the proper staffing, these alerts become useless. Cyber deception would be inappropriate for even a large enterprise environment if it doesn’t have a dedicated team to help manage the deception.
What Skill Sets and Technologies Are Required
Staffing a highly skilled and experienced team, with a breadth of experience working in blue team/red team scenarios, is key. Adequate training helps these teams deploy high-interaction decoys, lures, and services that will truly entice threat actors. For an even stronger approach, having logging/alerting solutions that help them respond to these “tripwires” in a timely manner will make all the difference.
On the technology front, honeypots, breadcrumbs, lures, and canary tokens are all crucial tools to trip high-fidelity alerts that identify threat actors. These deception tactics work by simulating critical infrastructures, services, and configurations so attackers can interact with these false IT assets. This effectively increases the cost of an attack.
However, these techniques can present logistical deployment issues and challenges. They are difficult to distribute widely and require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means, at times, there are not enough tools and resources to effectively detect cyber threats as a method of moving-target defense.
How to Deploy Cyber Deception Successfully
To deploy cyber deception using a commercially available product, it is important to start with a plan that considers what comes with the product. From there, you should:
- Take time to fully understand the product in place, establishing what it can and cannot do. After an initial pilot, prioritize a strategy around your high-value assets first if your organization is ill-prepared for an enterprise deployment.
- Ensure that your staff is fully trained on the platform well in advance of the actual product deployment. They must be prepared to fuse this actionable data into routine SOC operations.
- Identify and understand where within your environment stakeholders are comfortable using these deception products. If your CISO is not comfortable with a robust deception strategy, consider at least seeding false administrative credentials to defend against that common threat vector.
And if you don’t want to use a commercially available product? The deployment plan would include similar preparation as the items outlined above, replacing the product with in-house experience and tools. These steps should include but are not limited to:
- Develop the servers, services, and shares in a manner that is enticing to an attacker while also being able to alert immediately when they are interrogated.
- Deploy and manage multiple sensors to feed back to an operations center.
- Train and enable network defenders to be able to respond to these threats in a timely manner.
Without a framework, threat actors can easily work their way around a cyber deception plan, likely giving them the upper hand in such a time-sensitive environment.
Cyber deception tactics, techniques, and procedures (TTPs) have been around for quite some time, but they have recently gained mainstream attention because they can assist in credential compromise detection in zero-trust approaches. Deception technology will likely become more commonplace as an effective tool to complement existing defenses and tactics; however, the proper education, skill sets, and training are needed to make it a formidable defense mechanism for cyber generations to come.