By Nahim Fazal, BAL – Cyber Threat Intelligence, CounterCraft
World War II. Intense tank battles are taking place in North Africa and Allied forces are pitched against the might of Rommel and his formidable German tank divisions. It is a battle that is being lost due to the superior equipment that the Germans posed and the Allied command needed to introduce a new tactic to help them even up the battlefield. They turned to deception. The Allied powers started to make extensive use of agents to encourage the Germans to believe that attacks would take place at certain times and places. They never did. This tactic proved extremely useful in exposing chinks in the Germans’ armor, as well as their techniques to deploy tank formations. It didn’t end there. The most extensive phase of the deception program came in 1942 when the Allies managed to deceive the Germans about troop movement and location. The deception was multi-layered, involving radio signals, agents, and the deployment of fake infrastructure. This was done to combat German aerial reconnaissance. The deception campaign convinced Rommel that the Allies were going to concentrate their attacks in the north, when in fact the attack came in the south.
What the battle demonstrated is the capacity and complexity of a successful deception campaign. However, some tend to reduce it to nothing more than a simple honeypot. Deception is not to be dismissed and to be truly effective, it needs to be multifaceted and multi-layered, just as it was against Rommel and his forces. The battle of El Alamein demonstrates just how powerful deception can be in manipulating an adversary into revealing his tools, techniques, and procedures, ultimately delivering intelligence that can be acted upon to frustrate and defeat a threat. The concept of deception and how it can be used to strengthen defenses and identify internal and external threat actors is relatively new. In this article, I will demonstrate how CISOs and their security teams can use it to significantly increase their ability to identify and deflect potential attackers. This is not just about security; organizations spanning every sector are currently embarking on ambitious digital transformation programs. In the first instance, the foundations for successful transformation require consumers to trust organizations with their data, and in order to ensure this, robust frameworks are being introduced to enforce this. You don’t need reminding the recent entry into force of EU GDPR (General Data Protection Regulation). But let us take a step back and examine where we are today when it comes to network intrusion and detection.
There is no escaping the fact that the frequency and impact of newsworthy data breaches are on the up. Reflecting on some of the big breaches reported so far in 2018, the list is littered with well-known brands such as Verizon, Uber, Deloitte, Equifax or Dun & Bradstreet. In each case, it was customer information that the threat actors sought, found and extracted, affecting millions of end users. What this demonstrates is that the current technology sets deployed to prevent data breaches are simply not able to do so. Unsurprising, when we factor in the ever-evolving threat landscape, the diversity of the threats, and the budgetary and resource constraints that most organizations face. The costs associated with data breaches are staggering. Aside from any liability that may have existed under GDPR had it been in force, this figure alone should be a compelling reason for organizations to examine alternative and more advanced technology to help minimize the risk of incurring the financial loss and reputational damage that comes with a data breach.
So, the first key problem that CISOs face is how to effectively defend their network parameters, that in 2018, are probably a complex mix of multiple different technology stacks, and likely distributed across the globe. This scenario alone makes the job of a SOC team infinitely more complex. Factor in the number of existing security tools that are firing of alerts on a regular basis and the task of identifying real APT or zero-day threats becomes almost impossible. These types of sophisticated attacks have the ability to silently slip under the radar of existing network security measures and go undetected. And external threats represent just one aspect of the challenge; we must consider the additional risk of insider threats too. There will be employees with detailed knowledge of the corporate network and where critical data assets are located within this network. Their behavior wouldn’t trigger any legacy security toolsets because it would fall within the normal range of expected behavior. The 2017 Verizon Data Breach Investigations Report identified a 75:25 split between breaches carried out by external perpetrators and internal threat actors, for those included in the study.
Some organizations have resorted to using threat intelligence in an attempt to become better informed and better equipped to identify the vast array of threats out there. The problem with this, however, is the poor quality and generic nature of the threat intelligence collected, that together render it very difficult to act upon. This is where distributed cyber deception platforms offer value.
To summarize, the key pain points for CISOs are:
- The inability to detect corporate network breaches in a timely manner
- Effectively detecting the insider threat
- The inability to detect advanced attack techniques that leverage APT and zero-day threats
- Too many false positives associated with current technology
- Regulatory demands for effective breach detection and investigation
- Targeted, client-specific threat intelligence
- Equipping the SOC team with the tools they need to be more efficient
- Missed alerts
With each pain point identified above, there is an associated cost and the potential for a data breach running into hundreds of millions of dollars. These issues simply can’t be ignored. At board level, leadership teams increasingly expect to see a cohesive strategy that details how the risk of regulatory fines and costs associated with data breaches will be managed effectively.
It must be said that not all deception technology is equal. There are many different approaches to the steps required to identify threat actors, and through the use of deception, prevent a breach by moving them out of the production environment and into the deception platform. CISOs should look for some if not all of the following characteristics (please note this is a starting point rather than an exhaustive list).
Event management & alerting
The deception platform should produce zero false positives; therefore, the event alerting should be concise, clear and feature-rich. This means detailed intelligence on what triggered the alert, who triggered the alert, and the ability to track the source of the alert right through all of the deployed deception assets. Attack graphs are particularly useful to SOC analysts in this instance, that help to address missed alerts and the volume of false positives generated.
Automated complex defense responses
To effectively reduce the workload for the SOC team, the deception technology should include automated functionality. Automation allows the deception environment to be manipulated in response to the attacker’s actions. This targeted intelligence informs incident response processes with the level of sophistication needed to save time, money and resource. Consequently, the SOC team is empowered to operate more efficiently, their time freed up to focus on real threats targeting the wider network.
Complex range of deception hosts
In order to effectively identify threat attackers within your network and keep them engaged in the deception environment, the deception platform must be capable of deploying a diverse and rich range of deception hosts. Fully functional operating systems covering both Windows and Linux should be a baseline requirement to support this. In addition, routers, Wi-Fi access points, and even mobile devices should all be considered for use as deception assets.
Remember that the richer and more complex the deception environment, the more likely you are to root out not only external threats but those that lay inside your network too. But it should not stop there. One of the final key points identified earlier was the lack of client-specific intelligence. You need to know who is attacking, how are they attacking, and what data sets are they after – if that is in fact what they want. This means any deception technology should be able to deploy external deception campaigns in order to collect detailed information on what comprises the threat actors targeting your organization. You cannot create a cohesive security strategy unless you can answer some basic questions; am I being targeted by low-level threat actors relying on third-party tools and automation, or am I, in fact, being attacked by apts using bespoke toolkits and crafted malware?
Cisos should be actively researching deception technology during the course of 2018. The rationale behind this a powerful mix of regulatory guidelines and the increasing probability of attackers breaching your network.
There are significant business benefits to be leveraged through the use of such technology, including, but not limited to;
- Faster detection of threats at a lower cost
- Enhanced detection of advanced threats
- Collecting specific threat intelligence on if and how you are being targeted
- Developing a cohesive security strategy based on objective data sets
- Reducing false positives and not missing alerts
- Reducing the overall cost of detection
- Potential to reduce your overall security spend
- Delivering rigorous management information on how effectively the cyber risks are addressed
Ultimately for a CISO, a deception platform will vastly reduce the probability of your organization suffering a data breach, regardless of the source. It will provide you with informed data analytics that quantifies and qualify your risk exposure to threat actors, and provide you with detailed intelligence on which attack surfaces and tools might be used to target your organization. These data sets will not only inform where you should be focusing your limited security resources, but also demonstrate to the board how effectively managing cyber risk, and what you’re doing to improve your organization’s overall security posture.
About the Author
Nahim Fazal is the Business Area Lead – Cyber Threat Intelligence of countershaft. He has over 12 years developing and delivering innovative cyber threat solutions, having honed his cyber threat intelligence skillset within multinational financial services organizations including RBS and HBOS. At countercraft, he is responsible for aligning the cyber deception platform with the unique needs of a broad range of industry verticals across the globe. Nahim can be reached online at linkedin and at our company website https://www.countercraft.eu/