- Blackshield Awards
- Job Fair
- CXO Track
- Deception Technology: The art of staying ahead of the bad guys
Deception Technology: The art of staying ahead of the bad guys
What are the chances you can detect a targeted attack using deception technology? Pretty high, say experts in the technology.
For those who are new to the concept, deception technology and decoys are a form of active defence - turning the tables on the bad guys by making the network hostile to attack, says Sahir Hidayatullah, chief executive at Smokescreen Technology, a cybersecurity company that specializes in deception technology.
Decoys are the natural response that an offensive security professional would take towards defending a network.
For example, in a physical robbery, a robber will generally enter through a broken window or a back-door entrance that is less likely to be a guarded. Deception technology is an art form where you lure the robber to a well-guarded backdoor while giving an impression that the backdoor is a weak-link.
However, it is not always that easy in case of an online attack, says Sahir. "The guys who 'break in' know that the principles (decoys) work, the hard part has been scaling them out and managing thousands of decoy systems."
This problem has been solved by advances in virtualization, data-science and networking technologies in the last few years. Sahir says the deception system offered by Smokescreen has been evolved to blanket a cross-continent enterprise with decoys in a few minutes.
While the concept of honeypot to catch online attackers seems appealing, there’s a lot beneath the surface that companies in the business need to tackle with. For starters, deception technology only works if you stay a step ahead of the bad guys.
"In order to keep up to speed, we run a well-reputed red team that looks at new offensive techniques and then flips them on their head to figure out how we can create an appropriate deceptive asset," says Sahir. "We also are regularly sought after for incident response work, so we have a handle on what's going on in the wild."
Being on top of ongoing new attacks is equally important. Sahir says the team’s network of honeypots across the globe at specific, strategic organizations gives them a telemetry of new attacks. These honeypots provide structured data on targeted attacks against specific verticals and geographies.
Nuances of the technology
On the technology front, it’s a fast moving field, says Sahir. In the last couple of years Smokescreen has built decoys for everything from SCADA (Supervisory control and data acquisition) or ICS (Industrial control systems) systems to IoT devices, banking transaction processing systems and so on.
Deception is a great ‘link up’ technology - it goes very well with stuff like SDN (software defined networks), UEBA (user behaviour analytics), EDR (endpoint detection and response), and SIEM (security information and event management). Over the next few years the technology is likely to evolve substantially as customers bring in more use cases and as attackers modify their thinking to deal with these systems.
Sahir points out that within the internal network, Active Directory* security is a higher priority than patching.
"In our red-team assessments over the last few years, we’ve always leveraged Active Directory attacks to breach the environment. I can’t remember the last time we needed an exploit once on the internal network.
"Another thing that is becoming more prevalent is malware-less attacks - compromise via phished credentials, and then privilege escalation and lateral movement using tools built into the operating system (such as WinRM / PowerShell / WMI)."
This 'live of the land' approach makes antivirus / sand boxing and other anti-malware driven approaches much less effective. There are APT groups like FIN-4 that specialize in these sort of attacks, he adds.
Deception technology market
The deception technology market size is estimated to grow from USD 1.04 Billion in 2016 to USD 2.10 Billion by 2021, at the Compound Annual Growth Rate (CAGR) of 15.1%, according to a research by Market Insights Reports.
The sector has seen significant momentum in the past years - thanks to the growing number of attacks globally.
California and Bengaluru based Attivo Networks, a startup that specializes in deception technology raised $21 million in a series C round of funding this month. The round was led by Trident Capital Cybersecurity. Israel’s Illusive Networks has also raised at least $30 million in funding.
Apart from banking and finance, multiple industry verticals are now finding it increasingly essential to use deception technology. Telecom is a large market, as is healthcare, IT and ITeS, says Sahir. “We’ve also had good response from law firms. Essentially anyone who meets the at least 2 out of the 3 V’s - Visible, Valuable, Vulnerable, is a prime candidate for Smokescreen's deception technology.”
The least you could do is stay vigilant
There are always things at basic level you can do as an individual and as an organization to protect yourself from online attacks. Sahir shares a list of tips that could make the bad guy’s job a little more difficult:
At enterprise level
- Secure Active Directory
- Manage credentials securely
- Segment the network
- Start threat-hunting (in house if you’re large, outsourced if you're small)
- Deploy deception (I'm biased, but this could be anything from open-source honeypots to commercial deception systems. The principles work, and some deception is better than none)
- Focus on rapid detection and well-planned response instead of trying to lock the door 24/7.
- Use a password manager, don't reuse passwords
- Enable two-factor authentication for all your accounts, preferable TOTP app based (like Google Authenticator or Duo) rather than SMS based (which is vulnerable to social engineering attacks against your telecom company)
- Use Google Chrome, keep it patched.
- Exercise general common sense around what you sign-up for and download. A little bit of paranoia is healthy.
*Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.