Active cyber defense offers deception, delay and persistent detection approaches to disrupt cyber attacks while also increasing the work factor for the attacker. By camouflaging defenses, deception can provide real-time insight to a threat actor’s TTPs while delaying an attacker’s ability to launch a successful attack. Adaptive and persistent detective capabilities can expose stealthy malware operation, while profiling the attacker’s device(s) to enable an early indicator and warning (I&W) capability.
Good Deceptions Rely on Adaptive Defenses
Deception has been a part of the arsenal of cyberwar for the last 20+ years. Over this period, the variety and sophistication of deception tactics for both the attackers and the defenders have significantly increased. However, the three basic requirements for deceptions to be successful have remained constant:
- creating credible deception “stories” that will elicit actions by the attacker;
- being able to quickly detect when the bait has been struck; and,
- responding without human intervention.
Good deception stories require good cyber intelligence – cyber intelligence informs deception tactics by identifying what an attacker may find valuable and how attackers operate. Automated responses necessitate a mature security orchestration capability – to manage predefined COAs for maintaining the deception to elicit an attacker’s TTPs and targets.
Concealment versus Simulation – Which Deception Tactic is Best Suited for Your Adaptive Defenses?
In general, there are two main types of defense deception tactics – concealment and simulation. Concealments are masking techniques that inhibit observations by attackers while simulations enhance observations. When used in combination they provide the means for redirecting attackers away from real targets.
Some examples of concealment include:
- altering the environment by creating noise or false traffic in the targeted environment,
- diminishing the attacker’s recon capabilities by reducing the attacker’s opportunity to observe the targeted environment, such as configuring servers to not answer pings, configuring firewalls to prevent traffic flows between certain origins and destinations, and using network address translation (NAT).
Firewalls often use deceptive replies in response to disallowed packets to conceal targets and delay attackers. For example, firewalls can simply not reply to disallowed packets. This can delay attackers in their recon phase in two ways:
- serial scanners can be slowed down if they wait a long time for a reply, and
- attackers may interpret the non-response as a dropped packet, and retransmit the probe, perhaps multiple times. Another deception used by firewalls involves sending false negative replies to attack probes. For example, the firewall can send an ICMP hostunreachable message in response to a TCP ping.
More sophisticated concealments can be created at the protocol level by using predefined sets of redirection responses to disallowed packets using a rule set similar to router rules. Such a redirection capability could route packets through different interfaces so that the same attacker’s IP address goes to different networks depending on measurable parameters in the rule set. Mirroring is also an effective tactic at causing even more highly skilled attackers to become confused.
Ultimately, the goal of concealment is to suppress signals emanating from the target environment thus causing the attacker to fail to find a real target.
The goal of simulations is to create the illusion for the attacker that the attack is progressing as expected, using techniques ranging from fake error messages to redirecting the interaction with the attacking computer process to a virtual sandbox.
Some examples of simulations include:
- honeynets which impersonate the real environment to lure the attacker to reveal their tactics. Honeynet simulations leverage unused IP addresses to create fake targets. There can be thousands of fake computers simulated (e.g., by using 10.0.0.0), often there can be many more fake computers than real computers.
- honey tokens which are files set up to be attractive targets that contain “canaries” which are triggers that generate an alert if an attacker opens or manipulates a file.
- execution wrappers which create operating system level deceptions that are invoked whenever a program is executed. The decision on whether or not to employ a deception is based on system state, process lineage, and the respective system call. This type of deception has shown to be capable of successfully deceiving systems administrators who tried to exceed their mandate and access content they were not authorized to see.
A good simulation leads to an attack graph that creates additional alternatives for the attacker. Specifically, simulations induce the attacker to find false targets. Successful simulations consume attacker resources, and in some cases cause the erroneous belief that the false targets are real. The result of simulations that are successful is that the attacker goes further through the attack tree in the examination of false targets. This allows the defender to develop greater cyber intelligence on an attacker’s TTPs and exploit goals. An additional side effect is that real targets may be misidentified as false targets, thus causing attackers to believe that real systems are in fact simulations or impersonations.
Creating Good Deceptions Requires Investment
A significant effort is necessary to create a good deception. First, significant planning is needed to develop objectives and a deception strategy. Second, additional computing resources are needed to create the deception environment. Third, false content can be very difficult to create and expensive to maintain. Finally, a poor deception is worse than no deception at all since it will consume a defender’s resources while not aiding in detection or mitigation of an attack. Despite these additional costs, cyber deception provides an adaptive line of defense against today’s sophisticated attacks while also helping to capture cyber intelligence about threats.
Thanks for reading and keep detecting.
