In the treatise, “The Prince,” Niccolo Machiavelli, a 16th-century political theorist, muses about using deception to gain advantage over political opponents with the following:
“Everyone admits how praiseworthy it is in a prince to keep his word, and to behave with integrity rather than cunning. Nevertheless our experience has been that those princes who have done great things have considered keeping their word of little account, and have known how to beguile men’s minds by shrewdness and cunning. In the end these princes have overcome those who have relied on keeping their word.”
Let me be clear: I’m not condoning Machevilli’s suggestion on being dishonest in any facet of your personal life. But when it comes to protecting digital assets, you want your network to lie through its teeth.
Deceit is a useful weapon when defending your organization by shifting the balance of power in the security analyst’s favor and away from the attacker. By taking the art of defense into a more physiological realm, the defender can gain an advantage.
When using deception, you’re essentially using decoys to bait, entice and lure your foes, as well as to “alert” on the presence of adversaries within your network. These decoys can include deliberately created credentials, networks, files, systems, etc.
With deception you’re not focused on attack types or signatures but on the presence of malicious activity interacting with a decoy that shouldn’t have been touched. You don’t need to know all attacks – no one does – but when a decoy is being abused, it’s a good sign to start the investigation process.
To be successful, decoys need to look and feel like the resources they’re protecting. This authenticity will force adversaries to interact with the decoys and confuse and deter them from moving further through your network, giving you time to react.
The placement of decoys should start around sensitive resources and branch laterally from there. Just as attackers want to pivot through networks, you need to be able to cover their movements. Once they’re detected, you’ll be able to push out more decoys, adjusting your plan as adversaries are altering theirs.
By understanding the tactics, techniques, and procedures (TTPs) of adversary behavior, you avoid having to understand every attack vector and can focus on what is happening in the present. Besides, sophisticated attackers usually are “living off the land” and could go unseen by other security-based tools.
This is why it’s important for analysts to start forensic investigations right away to gain visibility into the early stages of attack or reconnaissance by attackers. If an attacker is evading detection due to zero-day exploits, poorly configured systems or white noise within logs, the events generated from deception decoys should be considered high risk. And including these alerts into an automated process allows for quicker response and lower attacker dwell time.
There will always be a time of fine tuning and false positives, but the fidelity of these alerts should be considered something of automatic interest for an analyst to start an investigation. We need to lie to the attackers to give our analysts the best chance to be successful. Adding a layer of deception into automation tools allows for a lower mean time to detect (MTTB) and a better understanding your adversaries.
Matthew Pascucci is an infosec industry veteran whose experience includes roles as a senior security engineer, security architect and cybersecurity practice manager.