Professional Documents
Culture Documents
FA22230103403 Reference Material I 10-08-2022 Lect 7 1
FA22230103403 Reference Material I 10-08-2022 Lect 7 1
https://www.helpnetsecurity.com/2018/12/06/introduction-
deception-technology/
This issue of human versus automated control is equally relevant to both the offensive
malicious actor and the defensive team employing the deception. In both cases, the functional
goal of enacting a misleading environment to trick the adversary is the same. Both use
diversionary measures to redirect normal activity from real assets toward a set of deceptive or
fake assets that are put in place for defense. Both cases also address how an organization can
significantly improve their overall security posture via deception.
The schema for any deceptive system is straightforward. Benign and malicious users each
access a common interface, although schemes do exist where the deceptive interface is
hidden from typical employee workflows, which highlights anyone really looking for an
entry point. The common interface then includes functionality that redirects access to the
deceptive system through use of deceptive lures and decoys. This is a powerful concept that
changes the nature of cyber security risk management.
One challenge in any deception-based scheme is that an adversary might be capable, and not
easily fooled by a phony entry point, interface, or service. Similarly, an automated attack
such as from a botnet will not be swayed by any human or subjective hints or traps that might
trick a human. This does not, however, remove the possibility that deception can prevent
automated attacks, but rather – it changes the required strategy.
Many enterprise teams have been considering use of deception for years, but these factors of
inevitability and context will hopefully convince security teams that this time is right now for
an effective deployment of deception to the enterprise.
High value to cost ratio – The cost of using deception in any adversarial situation is
generally low, as compared with the cost of introducing more active functional
controls into live systems. A non-computing example from the Second World War is
the use of mocked up military vehicles and equipment, including inflatable tanks,
which looked like an entire army to aerial reconnaissance, tricking the enemy about
both the objective of an upcoming attack and the strength involved. Obviously,
inflatable tanks were much less expensive than real ones.
Supports strategic analysis – Any deceptive sting operation provides the opportunity
for analysts to observe, review, interact with, and learn from an active offensive actor.
The insights gained allow for safe engagement with an adversary under controlled
conditions that prevent live assets from being destroyed or compromised.
Ease of deployment and use – For most applications, the deployment of deception is
relatively simple – perhaps for the same reason that building a Hollywood façade row
of buildings is easier than building an actual city. Clearly, the amount of work that
goes into deployment will be directly related to the authenticity and believability of
the deceptive trap and content.
For these reasons, applying deception to computing is a natural progression of modern cyber
risk management. In fact, one might view the introduction of deceptive technology, as
exemplified by the Attivo Networks solution offerings, as one of the more impressive and
exciting aspects of the cyber security industry. I am encouraged to see the company’s current
momentum and the traction they are achieving with critical infrastructure applications and
medical IOT device threat detection.
The original conception of honey in a deceptive system often involved a human defender
interacting in real-time with a human attacker. The resulting back-and-forth would follow a
human-time cadence where the strategy would unfold like in a chess match. Bill Cheswick
wrote back in the 1990’s of his experiences at Bell Labs trapping a live hacker by using
crafted and enticing information provided specifically for such purpose. He wrote this:
“On 7 January 1991, a cracker, believing he had discovered the famous sendmail DEBUG
hole in our Internet gateway machine, attempted to obtain a copy of our password file. I sent
him one. [1]”
The manual creation of a honey pot requires great skill and insight on the part of the
defensive team. They must understand the interest tendencies of a human actor as well as the
functional tendencies of an automated one. This requires that the process for creating,
maintaining, and supporting a honey pot must follow a well-developed lifecycle process to
ensure that meaningful and effective deceptive content is in place. (Luckily, commercial
platforms such as from Attivo Networks ease this task considerably by introducing practical
deceptive traps that are less dependent on manual creation of honey pot content.)
Traditional honey pot lifecycle
The lifecycle for honey pot content starts with researching the attributes of an adversary. This
can include human tendencies for honey pots designed to entice a person or group to some
deceptive content. The second step involves creation of the honey content, in a manner
consistent with the consumption model of the target. If a botnet is being targeted by the
honey pot, then the content must be consistent with what a botnet might be programmed to
find.
The third step involves realistically deploying the honey pot in a manner that will not offer
clear evidence to the adversary of the deception. Working with a competent vendor such as
Attivo Network will help you assess whether this type of approach can work in your
environment. Finally, the lifecycle continues with monitoring of the honey pot usage to
influence adjustments or to round out the research understanding of what works to entice the
target.
The primary requirement for a honey pot is that it must establish persistence of a potential
adversary to a deceptive system. Common examples include files of interest (such as the
password file provided by Cheswick to his cracker), bogus machines, links to bogus systems,
and even fake networks or documents. This must work for both humans expressing interest,
as well as automated attacks that are programmed to seek specific types of content.
It’s important to recognize that legal considerations exist in most countries to protect
innocent citizens and groups from being lured by an overly aggressive defender. Most
vendors such as Attivo Networks provide solutions that are well-within the boundaries of
reasonable network controls in every conceivable setting. Furthermore, once an adversary is
already inside an enterprise, it is generally considered fine to employ means to protect assets.
Basic schema for deception in computing
The basic high-level architecture for deception in a typical enterprise or network includes
several components. First, there are the deceptive traps placed strategically into a target
system of interest. Second, these traps require a secure communication path to a deception
collection and analysis system. And finally, set-up, support, and content require an
administration system for day-to-day support. Native integration of the deception into the
target environment simplifies all of these tasks considerably.
Obviously, this deception schema is high-level and is intended to provide a basic, notional
view of how most enterprise networks would deploy a commercial deception tool. Security
technology companies such as Attivo Networks continue to refine their offerings to ensure
optimal integration into the evolving enterprise – which everyone can agree is moving toward
more extensive use of public cloud and mobile networks.
In addition, it is worth mentioning that deception solutions were rarely integrated into
production designs. Instead, in the early days of cyber security, target systems were in
operation before deception was added to the defensive architecture. As such, most modern
deception deployments, including commercial solutions from Attivo Networks, will usually
involve an architectural overlay onto existing networks, systems, applications, and databases.
Good news is that machine learning and related advanced heuristics are beginning to simplify
this process considerably. Present and future deployments of deception will increasingly rely
on such heuristic processing to automate the generation, deployment, and on-going
operations of deception campaigns and their authenticity.