It’s time to reverse the roles of the threat actors and let them taste their own medicine. These defense platforms use the villain̵
Some cyber attacks happen in a very short time. For example, someone receives a phishing email. They don’t recognize it as a cyber attack. They try to open the malicious attachment. The attachment contains a small downloader program that installs itself on their computer. The downloader lives up to its name and fetches the actual malware from the threat actor’s server and installs it. The downloaded malware can be ransomware, adware, cryptojacker, remote access trojan (RAT), or any other malicious software that detracts from the threat actor at the expense of the victim.
In contrast, cyber attacks are where infiltration are not fast, automated events. They are multiphase processes. The first infection could be a RAT delivered by a phishing email, but then the work of the threat actors begins. The RAT can be used by the threat actor to connect to a compromised network at their discretion as many times as they want. It’s their own back door.
At their leisure, they can carefully navigate your network, observe events, track activities and figure out things like where your backups are stored. The end game can still be a ransomware attack. But if the victim organization is valuable enough, it pays for the threat actors to take the time to ensure that their malware can access all parts of the network, including the backups. They want maximum spread of infection.
They may not be planning a ransomware attack. But whatever their intent, when the threat actors gain access to your network, they are strangers in a foreign country. They don’t know your network topology, segmentation, server names, backup software, and so on. To get that information, they have to map your network by snooping, observing, and doing the work of finding out what’s what. This is called move laterally via the network. It is done to map the network, as part of privilege escalation, and to find valuable assets and goals.
Deception technologies make that sideways movement difficult, if not impossible. They detect when someone is trying to navigate your network and send alerts to notify staff.
This is how deception technologies work.
Decoys and Honeypots
A deception platform uses fake network assets that look like real devices to the threat actor while they explore your network. They are convincing decoys that act as if the threat actor is investigating or investigating a real device. But since no one is allowed to interact with the lures, any activity on them is suspicious and likely malicious.
You can compare a deception platform to some kind of “motion detector” for your network. If someone is slogging in an area, they shouldn’t – be it a threat actor or a nosy, snooping employee – they’ll be caught red-handed.
One of the advantages of deception platforms is that they detect activity. They don’t need to have a database of malware or other signatures up to date, and they can’t be caught by zero-day threats. They do not suffer from false positives. If it detects activity on a rogue item, there is something going on that you should look at.
The misleading assets can occur if:
- File servers
- Point of Sale (POS) equipment
- ATMs (ATMs)
- Internet of Things (IoT) devices
- Industrial sensors and controllers
A deception system allows you to choose which type of deception asset to install, but it is usually easier to have the deception platform examine your network and automatically populate it with phantom assets of the type commonly found on a network of your type. Some deception platform providers offer a service to create a deception tool to your specification to mimic a particular type of device that you want deployed on your network. That means you can have local versions of any type of real device on your network.
Deception systems can also create and monitor non-device distractors and honeypots such as configuration files, log files and documents that could be of interest to a threat actor trying to understand your network. As soon as one of these decoys is viewed, deleted or copied, a warning is issued.
Subtle clues, also called breadcrumbs, can be left in the network to point to phantom rich assets. This is done to divert threat actors away from real devices and send them to what are apparently primary targets.
An intrusion detection system (IDS) tries to detect malicious activity by analyzing network traffic on your actual network. A deception platform tries to redirect malicious activity from your real network to the haunted zone.
Phantom Devices, Phantom Traffic
It is surprising that the deceptive means do not burden your network or flood it with traffic. They are not actually on your network as a real device until someone tries to communicate with them. They are virtual appliances located in a device farm or deception farm in a virtualized environment that can be local or in the cloud. The deception system concocts evidence of the existence of the deceptive means on the real network.
To make the deceptive devices look as real as possible, network traffic is created for bait and even fake user activity. Once someone tries to deal with a deception tool, it is brought to life in milliseconds – completely turned up in the deception farm – so that it presents real-world responses and actions to the threat actor while providing warnings to the support staff.
As far as the undercover cop knows, they are dealing with a real server, ATM, medical device or something else bona fide network device.
Deceptive means can be created that actually contain a full operating system. These controlled environments are used to allow the threat actor to perform their malicious actions while recording and monitoring those actions to better understand their intentions. This information can be used to better prevent its recurrence.
In addition to generating warnings, the deception platform can trigger other responses. It can sandbox the deceptive means so that all injected threats such as malware are contained. It can quarantine phantom servers, or it can expire authentication credentials for the account that the threat actor is using.
Focused on companies
Deception platforms most comfortably fit into the enterprise-level network. Corporate networks are large enough to require careful mapping by the threat actor, and can very convincingly contain many, even thousands of phantom devices. If a threat actor sees that a small business’s network is disproportionately filled with network devices, they may suspect that a deception platform is involved. Larger networks naturally camouflage the additional devices.
Threat actors are aware of deception platforms and therefore the deceptive means must be replicated with such accuracy and persuasion and must respond with seemingly realistic responses.
Of course, you still need to do everything you can to prevent the attacker from gaining access to your network. But if they manage to get in, you must have something to detect their presence and curb their actions. And if it takes them away from real assets and into phantom assets, all the better.