The concept of deception and how it can be used to strengthen defenses and identify internal and external threat actors is relatively new. In this article, we will demonstrate how CISOs and their security teams can use it to significantly increase their ability to identify and deflect potential attackers. This is not just about security; organisations spanning every sector are currently embarking on ambitious digital transformation programs. In the first instance, the foundations for successful transformation require consumers to trust organisations with their data, and in order to ensure this, robust frameworks are being introduced to enforce this. You don’t need reminding the recent entry into force of EU GDPR (General Data Protection Regulation). But let us take a step back and examine where we are today when it comes to network intrusion and detection.
There is no escaping the fact that the frequency and impact of newsworthy data breaches is on the up. Reflecting on some of the big breaches reported so far in 2018, the list is littered with well-known brands such as Verizon, Uber, Deloitte, Equifax or Dun & Bradstreet. In each case, it was customer information that the threat actors sought, found and extracted, affecting millions of end users. What this demonstrates is that the current technology sets deployed to prevent data breaches are simply not able to do so. Unsurprising, when we factor in the ever-evolving threat landscape, the diversity of the threats, and the budgetary and resource constraints that most organisations face. The costs associated with data breaches are staggering. Aside from any liability that may have existed under GDPR had it been in force, this figure alone should be a compelling reason for organisations to examine alternative and more advanced technology to help minimise the risk of incurring the financial loss and reputational damage that come with a data breach.
So, the first key problem that CISOs face is how to effectively defend their network parameters, that in 2018, are probably a complex mix of multiple different technology stacks, and likely distributed across the globe. This scenario alone makes the job of a SOC team infinitely more complex. Factor in the number of existing security tools that are firing of alerts on a regular basis, and the task of identifying real APT or zero-day threats becomes almost impossible. These types of sophisticated attacks have the ability to silently slip under the radar of existing network security measures and go undetected. And external threats represent just one aspect of the challenge; we must consider the additional risk of insider threats too. There will be employees with detailed knowledge of the corporate network and where critical data assets are located within this network. Their behaviour wouldn’t trigger any legacy security tool sets because it would fall within the normal range of expected behavior. The 2017 Verizon Data Breach Investigations Report identified a 75:25 split between breaches carried out by external perpetrators and internal threat actors, for those included in the study.
Some organisations have resorted to using threat intelligence in an attempt to become better informed and better equipped to identify the vast array of threats out there. The problem with this, however, is the poor quality and generic nature of the threat intelligence collected, that together render it very difficult to act upon. This is where distributed cyber deception platforms offer value.
To summarise, the key pain points for CISOs are:
1. The inability to detect corporate network breaches in a timely manner
2. Effectively detecting the insider threat
3. The inability to detect advanced attack techniques that leverage APT and zero-day threats
4. Too many false positives associated with current technology
5. Regulatory demands for effective breach detection and investigation
6. Targeted, client-specific threat intelligence
7. Equipping the SOC team with the tools they need to be more efficient
8. Missed alerts
With each pain point identified above, there is an associated cost and the potential for a data breach running into hundreds of millions of dollars. These issues simply can’t be ignored. At board level, leadership teams increasingly expect to see a cohesive strategy that details how the risk of regulatory fines and costs associated with data breaches will be managed effectively.
It must be said that not all deception technology is equal. There are many different approaches to the steps required to identify threat actors, and through the use of deception, prevent a breach by moving them out of the production environment and into the deception platform. CISOs should look for some, if not all of the following characteristics (please note this is a starting point rather than an exhaustive list).
Event Management & Alerting
The deception platform should produce zero false positives; therefore, the event alerting should be concise, clear and feature-rich. This means detailed intelligence on what triggered the alert, who triggered the alert, and the ability to track the source of the alert right through all of the deployed deception assets. Attack graphs are particularly useful to SOC analysts in this instance, that help to address missed alerts and the volume of false positives generated.
Automated Complex Defense Responses
To effectively reduce the workload for the SOC team, the deception technology should include automated functionality. Automation allows the deception environment to be manipulated in response to the attacker’s actions. This targeted intelligence informs incident response processes with the level of sophistication needed to save time, money and resource. Consequently, the SOC team is empowered to operate more efficiently, their time freed up to focus on real threats targeting the wider network.
Complex Range of Deception Hosts
In order to effectively identify threat attackers within your network and keep them engaged in the deception environment, the deception platform must be capable of deploying a diverse and rich range of deception hosts. Fully functional operating systems covering both Windows and Linux should be a baseline requirement to support this. In addition, routers, Wi-Fi access points and even mobile devices should all be considered for use as deception assets. Remember that the richer and more complex the deception environment, the more likely you are to root out not only external threats, but those that lay inside your network too. But it should not stop there. One of the final key points identified earlier was the lack of client-specific intelligence. You need to know who is attacking, how are they attacking, and what data sets are they after - if that is in fact what they want. This means any deception technology should be able to deploy external deception campaigns in order to collect detailed information on what comprises the threat actors targeting your organisation. You cannot create a cohesive security strategy unless you can answer some basic questions; am I being targeted by low level threat actors relying on third party tools and automation, or am I in fact being attacked by APTs using bespoke toolkits and crafted malware?
CISOs should be actively researching deception technology during the course of 2018. The rationale behind this a powerful mix of regulatory guidelines and the increasing probability of attackers breaching your network. There are significant business benefits to be leveraged through the use of such technology, including, but not limited to;
1. Faster detection of threats at a lower cost
2. Enhanced detection of advanced threats
3. Collecting specific threat intelligence on if and how you are being targeted
4. Developing a cohesive security strategy based on objective data sets
5. Reducing false positives and not missing alerts
6. Reducing the overall the cost of detection
7. Potential to reduce your overall security spend
8. Delivering rigorous management information on how effectively the cyber risks are addressed
Ultimately for a CISO, a deception platform will vastly reduce the probability of your organisation suffering a data breach, regardless of the source. It will provide you with informed data analytics that quantify and qualify your risk exposure to threat actors, and provide you with detailed intelligence on which attack surfaces and tools might be used to target your organisation. These data sets will not only inform where you should be focusing your limited security resources, but also demonstrate to the board how effectively managing cyber risk, and what you’re doing to improve your organisation’s overall security posture.
Author: Nahim Fazal, BAL - Cyber Threat Intelligence at CounterCraft