All warfare is based on deception
Sun Tzu
Author: Pablo Canseco
Abstract
Sun Tzu wrote; “All warfare is based on deception.” This adage is finding maturity in a digital age where family of security controls must be reinforced with a diversity of other cyber defenses such as deception technologies.
In 2018, the need to “defend forward” became part of new strategic frontier adopted by U.S. Cyber Command, which seeks to take a more active role against aggressive behavior of Nation states who leverage asymmetric, non-kinetic means to destabilized the United States such as with active measures campaigns of disinformation, or influence. (U.S. Department of Defense, 2018) In that sentiment, we are witnessing an increase of novel of developments in technologies that are part of concerted efforts to thwart threat actors in cyberspace.
In the advent of new daily and rapidly evolving cyber threats, as well as the need to collect intelligence, and meet the new demands of cyber conflict, deception technologies can offer significant advantages in not only identifying the threat, but gathering vast amounts of information with important consequences in threat identification and operational threat intelligence that can better prepare, aid, support any organization’s security goalpost.
Threat Intelligence and Deception Technologies
“Intelligence is about reducing uncertainty by obtaining information that the opponent in a conflict wishes to deny you.”—Robert M. Clark, Author, Intelligence. Analysis: A Target-Centric Approach
Cyber risk in today’s digital age is varied and not the same for every company or industry, and while there are cybercrime trends, threat intelligence can become an important component of an organization’s cybersecurity strategy, although, according to a recent survey by SANS Institute, it was revealed that only 60% of companies surveyed incorporate threat intelligence into their strategic cyber defense plans. (CrowdStrike, n.d.)
Crowdstrike delineates three important categories of Cyber Threat Intelligence, or CTI. Tactical intelligence focuses on what the threat is, its composition, which are primarily made up of Indicators of Compromise. This can be in the form of file hashes, known malicious IP addresses, malicious email senders, compromised URLs, or domains, etc.
A second category is Operational Intelligence which seeks to answer the questions of who the threat actor is, why do they pose a risk to the organization, and how they seek to compromise it. In other words, Operational Threat Intelligence veers not only at the motivational aspect of an adversary, but also delves into how skillful an attacker might be to achieve their intent, and what their focus might be. This category of intelligence gathering relates to the collection and analysis of an adversary’s TTP, or tactics, techniques, and procedures.
Operational Intelligence gathering is the most relevant collection of adversary information we will be addressing in this paper, which can be correlated to the implementation of deception technologies, also known as Cyber Deception Systems, or CDS.
A third Threat Intelligence category is concerned with the long-term movement of geopolitical situations; this intelligence is one of the most difficult to gather as it requires human collection and analysis that require an understanding of global events, foreign policies, the undertakings of large organizations, or nation states.
Another point to consider when contemplating cyber threat intelligence and the threat landscape, is the fact that according to a (2017) study, around 80 percent of threats are commodity threats, which are carried out with widely known tools. (Stout & Urias, 2017) This means that threat identification can be improved upon TTPs, especially with the use of deception technologies.
The Psychology of Deception
“When we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near,” wrote Sun Tzu.
If an organization can appear to have been successfully infiltrated by an adversary through the use of a deception technology, the organization can seem vulnerable to the attacker, whose thinking and intent will be reflected in their actions. The appearance of vulnerability can draw the attacker closer into believing that they are near to achieving their mischief when they are actually far from it, can also affect the attacker’s decisions, and make it easier to disclose the attacker’s capability, objective(s). (Ferguson-Walter et al., 2018)
Deception is a form of adversary engagement. (Stout & Urias, 2017) In the context of one of the most pernicious and persistent threats the U.S. has faced recently in cyberspace, active measures through disinformation campaigns are seen by Russia as part of their constant asymmetric warfare in lieu of kinetic, or more traditional means of conflict against those Russia perceives as superior in the conventional military sense. In the Russian military thought, asymmetric operations are considered an aggregate of overall operations, and can even be used as a reflexive control tool, i.e., make an adversary do to themselves what an opponent would do to them by means of deception. (MITRE, Military thought, pp 5-3)
While it would be hotly contested to say that threat actors are technically and more intelligently superior than their adversaries, I believe we can argue that if an attacker has stepped foot past an organization’s defense perimeter, that they have a vantage point. This is where asymmetric thought and ‘defend forward’ concepts can be married to create strategical, technical information about a threat, to include those that have penetrated an organization’s secure domain.
In one of the largest studies in a controlled environment named the Tulorosa Study, individual red teamers were asked to run penetration testing on systems that some knew had deception decoys in a Capture-the-flag-style format, though, no real flags were present to avoid skewing the experiment. The experiment was largely concentrated on the participants behavior and psychological state of mind while conducting reconnaissance and exploitation of systems that included decoys, but its conclusions were demonstrably absent. The experiment limited the use of tools, had observers in the room, encouraged participants to vocalize their thoughts, kept notes, studied logs, but it raised many more questions than answered. (Ferguson-Walter et al., 2018)
Lures, Breadcrumbs, Decoys
Though with the appearance of a relative short life span, deception technologies have been most associated with honeypots; systems that can allure attackers to attractive targets but have no consequential value. In its infancy, honeypots were real systems, but have increasingly relied on virtualization technology to falsify files, content, metadata, database records, RAM data, registry records, among a few, in what is referred to as host-based techniques. (Stout & Urias, 2017) The chase to pursue decoys can lead the attacker to waste time, effort, and money to pursue digital baits explicitly left for that purpose.
Honeypots, and in large, honeynets have not just evolved in capabilities, but are also seen as predecessors to a new generation of cyber deception systems which build on the premise of broader intrusion visibility, early detection, and fewer false positive alerts. (Bushby & Fidelis Cybersecurity, 2019)
Honeycomb Family of Security and Privacy Controls
Managing risk takes a careful and methodical balance between controls. Recently, NIST Special Publication 800-53 revision 5 was released to include an expanded twenty security privacy and control families from eighteen families in revision 4. (National Institute of Standards and Technology, 2020)
There are some notable mentions in SP 800-53 rev. 5, that allude to deception, their use, and their relation to other family of controls. Family control System and Communication Protection 26 (SC-26), in support of business critical business functions and mission recommends the deployment of decoys for the purpose of detecting, deflecting, analyzing malicious activity, though, a careful consideration is mentioned to isolate any malicious payload from other segments of the network or systems as it is being deflected. (National Institute of Standards and Technology, 2020)
As an enhancement to recommendations in Incident Response 4 (IR-4), behavior analysis of a threat, in a deception environment, is recommended by analyzing the timing of the event, along with the threat attack patterns, and insight into the attacker’s tactics, techniques, procedures. (National Institute of Standards and Technology, 2020)
In any risk mitigation effort, it is commendable to reduce an organization’s attack surface as much as possible. Concealment and misdirection can close windows of opportunity for attackers, as well as shrink an organization’s attack surface. System and Communication Protection 30 (SC-30) reinforces the idea of concealment through the use virtualized environments to effectively disguise systems while minimizing costs. A related control is found in SC-44, which advocates for a controlled detonation chamber with the idea of executing or opening high-risk applications, attachments in an isolated sandbox environment, though, NIST recommends detonation chambers not be a long-term solution. (National Institute of Standards and Technology, 2020) A detonation chamber can be effective to deflect phishing attacks allured by fake email accounts that have been explicitly setup for monitoring and studying of those likewise attacks.
Other elements to deceive an adversary, continued from SC-30, include the use of randomness, which can increase uncertainty that can affect the threat actor’s decisions, make them invest more time and resources, all while closing the window of opportunity, and prodding the attacker to make mistakes, or step on decoys that will increase their likelihood of getting caught. (National Institute of Standards and Technology, 2020) In Dynamic Networking, adding a layer of NAT to constantly change the outward facing identify of systems through their IP addresses or TCP/UDP ports, has proven to be useful in detecting intrusion. (Stout & Urias, 2017)
The Insider Threat
The act of deceiving an adversary takes away their time from attacking the real prize, however, one of the main vantage point of deception technologies is in its artistry to aid in the quick identification of a threat that incident handlers can respond quickly for containment and eradication.
In 2017, Ponemon Institute Research found, in a sample of 419 companies, that the mean time to identify a data breach was 191 days. Further, Ponemon found the average cost of a data breach of those companies which identified the threat within 100 days to be at $2.80 million. The average cost of a data breach identification beyond 100 days was at $3.83 million. (Ponemon Institute Research, 2017)
In 2020, the average data breach cost in the United States jumped up to $3.86 million. (IBM Security, 2020) As we have highlighted in this paper, the correlation between the time of threat identification increases as does its overall average cost, which places a heavier emphasis on an organization’s ability to employ technologies that can accelerate threat identification.
Furthermore, many enterprises rely heavily on sensory data at the ingress and egress perimeter, which include network flow, packet capture, proxies, IDPS, or other network blocking system. (MITRE, Finding Cyber Threats, 2017, pp. 17) This perimeter-based approach means that once an intruder has made it through the door, the likelihood of detection decreases unless it is countered through Network Security Monitoring, threat hunting, deception technologies, and others.
Ransomware
Destructive attacks are those that seek to destroy or wipe data; among destructive attacks is ransomware. Their destructive effect makes them distinguishable from a data breach and are reportedly costlier at an average of $4.52 million. (IBM Security, 2020)
A hallmark of ransomware behavior is to encrypt data files. A key indicator of ransomware like Wannacry, for example, is to append the encrypted data files with a .WCRY extension. (Berry, et al., 2017) If a ransomware worm has infiltrated your infrastructure, and is encrypting an organization’s files in real-time, every second is pivotal. But how do we leverage deception technology against such a threat as ransomware.
Cyber threat intelligence has provided us with insight into host and network-based signatures, indicators of compromise, etc., but we also know that malware code can be recycled, and to that effect signatures that are well known may also change. However, we also have observable knowledge of how many malware samples behave. In our example of Wannacry, we know that a key behavior and indicator is to rename files.
A 2020, named Gartner’s leader in Web Application Firewalls, Imperva, advocates for keeping an audit trail of files, relative access in the organization, while monitoring for patterns of anomalous behavior. (Gartner Research, 2020) Imperva’s SecureSphere file security strategically plants hidden files, which are constantly monitored, and are triggered if these files exhibit operation behavior such as overwriting and renaming. (Imperva, n.d.) If decoy files, or honeytokens show early signs of a true positive intrusion, it can also alert incident handlers of which endpoints and end-users are affected that can influence a containment phase. Honeytokens are referred to fake data that may not necessarily be visible to users but can trigger warnings if tampered with. (MITRE, 2019)
A Deceptive Timeline
Since the advent of deception technologies in the last couple of decades through the most common type of deception system as Honeypots, the market growth for what is becoming more commonly referred to as Cyber Deception Systems has seen an uptick, though, still largely decimated by the quantum commercialization of signature-based technologies such as anti-virus Software.
In its Market Segment Report, Cyber Source Data Wellington Research notes that Cyber Deception Systems have entered a growth phase that may last another decade until 2031, where new leaders and innovators will enter the commercialization of CDS’s until the next phase of consolidation. CDS product and services market growth in 2021, are projected to reach 225 million, according to the same report analysis. (Cyber Source Data Wellington Research, 2019)
A multi-layered approach to defense, or defense in depth, comprises the idea of enabling deterrents, defenses, protection with diverse solutions that look after the adversary from different perspectives, and can equally or superiorly overcome the challenges of threat actors from a diverse background of solutions. With that end, endpoint security protection applications such as the ones offered by Symantec already offer the option to turn on deception with high-interaction baits to improve detection. (Symantec, 2019) In an earlier example, we examined Imperva’s family of application security solution in the early detection of ransomware with file implants. These solutions speak to the constant evolution of traditional and integration of defenses into security capabilities that go beyond definitions and build upon what is true and tried in the realm of endpoint protection.
A drawback to Deception technologies can be the exclusion of diversity, which can be inferred by the attacker if it does not match their expectation. As with the earlier Symantec and Imperva examples, a sustainable approach to deception is to integrate it to operational technologies such as Authentication systems, API Management, processes, alerting tools, and others. (Stout & Urias, 2017)
Beyond Server-side Honeypots
Among topics not covered in SANS’s Implementer’s Guide to Deception Technologies paper is the subject of client-side honeypots. Until this point, previous references to honeypots have all been to server-side honeypots, where a vulnerable system, service, or decoy seeks to deceive an attacker’s intrusion.
Servers offer services to Client applications, and often expose themselves to malicious activity. These vulnerable services on the server-side are mimicked by honeypots as decoys. In contrast, client-side honeypots seek to proactively connect to malicious servers by design for the purpose of exploring and identifying malicious servers that can effect client-side changes in registry, configuration settings, or any modification without the knowledge of the user. (The Honeynet Project, n.d.)
The implication of Honeyclients is to collect intelligence by crawling over networks, engage web servers and classify any malicious findings, and that intelligence could produce feeds for blocklists that could be shared across the spectrum, as well aid in correlating other events, or even attribution. Clients which purposely connect to malicious servers and see themselves compromised, could also gain valuable knowledge of the vulnerabilities that were exploited and disclose those vulnerabilities, along with applying and compiling a list of recommended patches.
Market Trends
Technavio, a research firm, estimated the market share of Deception Technologies at a global compounded annual growth rate of 9 percent to $1.33 billion by 2020. (NTT Security, 2018) In 2019, that trend had reported to be at $1.19 billion, according to Mordor Intelligence’s report “Global Deception Technology Market (2020-2025), which indicates a overgrowth over the previous estimation, but, the question lies on how COVID-19 affected that market in 2020. However, that brings us to our next segment.
The Shape of Clouds
As more companies continue to sway toward migrating to cloud solutions, there are also new challenges. There are two particular security concern areas; in the cloud and on the cloud. Those issues pertaining to in the cloud security, or controls and transmission made by the client are prevalent issues. Amongst companies surveyed in 2019, 48.9 percent of attacks involved account and credential hijacking, and 42.2 percent of attacks reportedly involved misconfiguration of cloud services like overexposed resources, including APIs. (SANS Institute, Shackelford, 2019)
A key element of cloud security that is missing is visibility, and here is where deception technologies may be able to shine a gleam of light. Of those companies surveyed by SANS Institute in 2019, it was reported that up to 31 percent involved attacks where it was discovered that unauthorized entry had been involved. (SANS Institute, Shackelford, 2019) As we talked about in this paper, honeytokens or decoys can complement other security measures to identify potential security breaches in their early stages.
The Promise of Deception: A Summary
In the age of disinformation warfare, SAN’s Implementer’s Guide to Deception Technologies, takes on a topic that is very much in the mind of frequent Internet users today; deception, what is real and what is not, and how can anyone tell? Though there are obvious differences in the implementation of Cyber Deception Systems, their purpose, and disinformation campaigns conducted through social media, the end goal is to deceive. To deceive an adversary in such a way as to affect their thoughts and therefore their actions, or inactions.
My first-hand knowledge of deception technologies was through the understanding of honeypots, and my experience with HoneyDrive with Kippo, but as I investigated further, I realized the potential of deception technologies to be, yet, another integrated and consolidated layer of cyber defense that is more active than passive.
Often, we think of information security in terms of how to keep intruders out, yet we are frequently reminded that intruders may have already found a way in, and are going undetected for an average of 191 days, which is a substantial amount of time, not to say, unsettling. Deception technologies are newcomers in many ways as far as their method of implementation and ubiquity, which can come in the later stages of an intrusion. It was quite refreshing to learn that on top of file audits and monitoring, deception features are being built into endpoint security applications as means to identify an intruder after taking foothold in a system, but early enough to mitigate the greater risk of data exfiltration, infection, exploitation, or other.
In the course of my research on the subject of Cyber Deception, I have grown to believe that deception can be the next frontier in Cyber Threat Intelligence collection, resilience, mitigation, digital forensics and incident response, and more, because it is an active control to counter a cyber foray and can be turned against an adversary. With that in mind, I believe we are only witnessing a beginning in the adaptation and integration of deception technologies with capabilities to further our knowledge and intelligence gathering of threat actors, their skills, methods, and even how they think.
References
Alcavio. (2018, June). Acalvio Deception and the NIST Cybersecurity Framework 1.1. https://techresearchonline.com/wp-content/uploads/white-papers/Acalvio_Deception_NIST_CSF_.pdf
Bushby, A. & Fidelis Cybersecurity. (2019, January 1). How deception can change cyber security defences. ScienceDirect. https://www.sciencedirect.com/science/article/abs/pii/S1361372319300089?via%3Dihub
CrowdStrike. (n.d.). Threat Intelligence. Retrieved November 27, 2020, from https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperThreatIntelligence.pdf
CrowdStrike. (2020, April 7). Cybersecurity’s Best Kept Secret | Whitepaper | CrowdStrike. Crowdstrike.Com. https://www.crowdstrike.com/resources/white-papers/threat-intelligence-cybersecuritys-best-kept-secret/
Cyber Source Data Wellington Research. (2019, June). Cyber Deception Systems (No. 2019). https://go.attivonetworks.com/CDS-Market-Segment-Report2019.html
Ferguson-Walter, K., Shade, T., Rogers, A., Trumbo, M. C. S., Nauer, K. S., Divis, K. M., Jones, A., Combs, A., Abbott, R. G., & Niedbala, E. (2018, September 1). The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception. Office Of Scientific And Technical Information. https://www.osti.gov/biblio/1569330
FireEye. (2017, May 23). WannaCry Malware Profile. https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
Gartner Research. (2020, October). Gartner Magic Quadrant for Web Application Firewalls (No. 2020). https://www.gartner.com/en/documents/3991674/magic-quadrant-for-web-application-firewalls
IBM Security & Ponemon Institute. (2020). Cost of a Data Breach Report (No. 2020). IBM Security. https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf
Imperva. (n.d.). Imperva SecureSphere File Security. Retrieved November 29, 2020, from https://www.imperva.com/resources/datasheets/DS_File_Security-2.pdf
Mitchell, R., McBride, M., & Jarocki, J. C. (2017, March 1). Linkography Abstraction Refinement and Cyber Security. Office of Scientific and Technical Information. https://www.osti.gov/biblio/1456409
MITRE. (2019, August). Russian Military Thought: Concepts and Elements. https://www.mitre.org/sites/default/files/publications/pr-19-1004-russian-military-thought-concepts-elements.pdf
MITRE. (2020, January). The Cyberspace Advantage: Inviting Them In! MITRE. https://www.mitre.org/sites/default/files/publications/pr-19-3726-cyberspace-advantage-ctns.pdf
MITRE, Whitley, S., Wampler, C., Miller, D., & Battaglia, J. (2017, June). Finding Cyber Threats with ATT&CKTM-Based Analytics. MITRE. https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
National Institute of Standards and Technology. (2020, September). SP 800-53 rev.5 – Security and Privacy Controls for Information Systems and Organizations. NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
NTT Security. (2018). The rapid evolution of deception technologies. https://www.nttsecurity.com/docs/librariesprovider3/resources/gbl_thought_leadership_deception_technologies
Ponemon Institute & IBM Security. (2017, June). 2017 Cost of Data Breach Study. Ponemon Institute. https://www.ibm.com/downloads/cas/ZYKLN2E3
SANS Institute. (2019, May). SANS 2019 Cloud Security Survey. SANS. https://www.sans.org/reading-room/whitepapers/cloud/2019-cloud-security-survey-38940
SANS Institute. (2020, January). Implementer’s Guide to Deception Technologies. https://www.sans.org/media/analyst-program/implementers-guide-deception-technologies-39390.pdf
Stout, W. M. S., & Urias, V. (2017, August 1). Technologies to Enable Cyber Deception. U.S. Department of Energy Office of Scientific and Technical Information. https://www.osti.gov/biblio/1468722
Symantec. (2019, October 15). A Look at Deception. Broadcom. https://docs.broadcom.com/doc/a-look-at-deception-how-to-start-playing-offense-en
The Honeynet Project. (n.d.). Know Your Enemy: Malicious Web Servers – The Honeynet Project. Retrieved November 29, 2020, from https://www.honeynet.org/papers/kye-kyt/know-your-enemy-malicious-web-servers/
U.S. Department of Defense. (2018). Summary Department of Defense Cyber Strategy 2018. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
U.S. Department of Energy Office of Scientific and Technical Information, Shade, T., Rogers, A., Trumbo, M. C. S., Nauer, K. S., Divis, K. M., Jones, A., Combs, A., & Abbott, R. G. (2018, May 1). The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception. OSTI.Gov. https://www.osti.gov/biblio/1524844