Choose Your Deception
Active Cyber Defense can enable a large variety of specific deception tactics that can delay, confuse, scare away, or tie up an attacker depending on the circumstances and the methods. The following examples highlight this variety of tactics.
- Enabling specific abuse detection points in web application code using a library of vulnerability deception modules, and responding to application abuse with session-specific deceptive responses, warnings, and blocks.
Deceptively vulnerable web sites can be employed to identify an attack while minimizing the impact on legitimate users. By embedding seemingly vulnerable abuse points in the web site script and configuration, attackers may be deceived into launching attacks that can be quickly detected. A variety of response actions can then be employed including warnings, throttling the session connection, requiring additional login information, and blocking the attack. Through careful sequencing of the responses, an attacker’s TTPs can also be revealed and captured for analysis.
- Employing persistent tracking mechanisms, such as canvas fingerprinting, evercookie, supercookies, and zombie cookies – to create a “long-term fingerprint” of the attacker and use that fingerprint to recognize an attacker on return visits.
Fingerprinting web site users may cause privacy concerns, however these techniques offer a means to identify and track web site abusers when these tracking mechanisms can be linked to web site abuse. Once identified as an abuser, such a fingerprint could be shared through a threat intelligence service to block, blacklist, or to closely monitor the user’s behavior at sites that subscribe to the intelligence service.
- Employing honeynets and honey files to capture attackers’ TTPs and malware profiles, while also providing disinformation to the attacker.
- Using deception with malware analysis tools to detect and block attacks.
Malware sandboxing often includes deception techniques that are designed to trick malware into exposing how the malware operates and what it would do on a system if deployed. Attackers recognize that detection methods are becoming more advanced and accordingly have raised their game as well. Since malware often comes with anti-VM or anti-sandbox techniques along with dormant codes, deception and hiding techniques provided by malware analysis tools are becoming more sophisticated. For example, newer tools leverage micro-virtualization at the processor level. This hardware isolation method emulates a complete system, thereby removing many of the indicators that malware uses to detect it is running in a virtual sandbox.
These techniques must be balanced against the costs of development, deployment, and maintenance, as good deceptions can be expensive to set up, they go stale over time, and consistency of deceptions should be maintained.
In the next post we continue a review of deception, delay and detection techniques that may help to generate a poor ROI for attackers. In particular, we examine a deception approach called cyber maneuver.