Over the past three years, I have been in regular conversations with UK businesses from various industries and at different stages of their cybersecurity maturity path.
Despite the differences at a business level, from a cybersecurity perspective, there are two main worries that keep them awake at night. Those pain points can be summarized as:
– the gaps in detection left by other technologies
– the lack of visibility of what is really happening in their infrastructure that would allow them to make decisions, prioritize and report to the board.
These two worries are the major reasons I have seen UK businesses inquire into how cyber deception can help them.
In this blog post, I will try to go deeper into those two concerns, as well as why cyber deception helps businesses strengthen their cybersecurity position independently of where they are in their cybersecurity maturity path.
Challenge #1: Gaps in Detection
At this stage, I believe we all know that perfect cybersecurity is an impossible utopia—unless you can operate your business in a bunker without letting anyone or anything come in or out, which is not very practical. And we are also aware that as attackers get more and more sophisticated, their ability to trespass cybersecurity controls without being noticed increases.
The three most common worries we hear from businesses under the umbrella of detection are:
– How do I know if an attacker has passed undetected?
– How do I know if I am facing insider threats?
– How can I protect systems that are too old or too complex for traditional security controls?
Let’s have a deeper look…
How do I know if an attacker has got through my security controls undetected?
A common question we receive from UK businesses is how to know if an attacker has silently circumnavigated our security controls unnoticed.
One of the most reliable ways to find out is with the use of deception environments.
Some of our clients have used our cyber deception technology during red team exercises. A common result of the exercise is that the only security tool that detected the red team activity was the deception environment. The red team were caught out by the deception environment. They didn’t realise that it wasn’t the infrastructure they were trying to compromise. (You can read more about one of our most recent cases here).
Cyber deception environments look and feel like our clients’ real infrastructure with the added component of making it an attractive target for the attacker. The underlying motives of the attacker are exploited by our system. For example, if the attacker is looking to gain deeper access and control over a network, they find the deception environments irresistible targets. When they take the bait, you will be alerted.
If an attacker has been savvy enough to pass your first line of security controls, having an attractive and well-crafted cyber deception environment will give you the chance to catch them, deflect the attack away from your real infrastructure and allow you to reconfigure your other security controls to mitigate its potential damage across the rest of your IT systems.
A common follow-up question we get is: Does that mean that cyber deception is an alternative to End-Point Detection and Response systems (EDR)?
No, it’s not an alternative, it’s a compliment to EDR. All of the major recent hacks feature companies with EDR systems that have been circumvented by motivated hackers. Deception techniques will mitigate the risk of any gaps left by your EDR and other cybersecurity controls.
How do I know if I am facing insider threats?
It doesn’t come as a surprise that one of the main worries of businesses is insider threats. It is a common worry, mainly for those companies that manage sensitive data and information in industries such as insurance or even manufacturing.
The trouble with insider threats is that their activity looks genuine to your security controls, making it very difficult to discover.
Cyber deception deals with insider threats by creating a credible attractive environment that no legitimate actor would have a reason to step into. If “curious” employees or third parties with access mess around with it, the alarm goes off. The deception environment can also have different levels of “engagement” to filter anyone that has arrived there by mistake.
Mitigating the risks of insider threats is one of the most common use cases among our clients and one that is difficult to solve with other types of technologies.
To know more about cyber deception and insider threats, this blog post about the importance of tracking insider threats proactively is a must read.
How can I protect systems that can’t be protected by traditional security controls?
This is the number one question we get from organizations in Military, Critical Infrastructure, Manufacturing, Energy, Oil and Gas and Transport verticals. These industries still operate with legacy systems that can’t follow the updates that have been made to traditional security controls and/or have a complex Operational Technology infrastructure that makes the use of traditional security controls very difficult or expensive to deploy.
The beauty of CounterCraft’s cyber deception solution is that it can adapt and camouflage to match your systems to mitigate the risk of attackers reaching the real infrastructure. It doesn’t give full coverage, but it is designed to trick the attacker into the deception environment and away from the real infrastructure, alerting and providing intelligence about what the attacker is trying to do against your infrastructure.
If this case relates to your business, I recommend reading this article about boosting OT security with cyber deception by one of our experts, which explains how cyber deception works in those environments in different attack scenarios.
Challenge #2: Lack of Visibility
Blocking cyber attacks is essential and needed, and the reality is that it is what most businesses care about when it comes to cybersecurity.
But I have observed in the past years that there are questions - usually from the board of directors - that demand answers which require further visibility into what is really happening. Traditional threat intelligence leaves these answers at an unsatisfactorily generic level of detail.
Having the answers to those questions would give businesses a stronger cybersecurity position, as well as making better use of already limited resources - people, time and money.
Where do we start?
One of the most common questions we receive is where to start. There is so much to do and everything is important, but how do I know what is the most important action for my particular business?
Cyber deception is often linked to being used by very mature companies only, but it is a great tool to gain visibility to plan and prioritize your cybersecurity path even when you are at the beginning of the curve.
As mentioned before, cyber deception can be deployed outside the perimeter of your infrastructure, ready to inform you when and how you are being targeted before attackers get anywhere close to you. Having this real and specific threat intelligence will allow you to prioritize your actions to mitigate the attack.
Clients with this question also run multiple deception environments in parallel to cover different use cases where they suspect attacks are coming from. Their goal is to test their hypothesis and gather the data to support their decisions or budget spending. For example, they might run a campaign to see if they should be worried about insider threats and, in parallel, a pre-breach campaign to gain visibility into what external threat actors might be trying to do.
What would be the impact of an attack being successful?
A difficult question that boards usually ask our users is what would happen to the business if an attack were successful. “How ready, or not, are we to minimise impact?" The question is not a generic “what is that attack trying to do”, but instead, with our current security controls in place, what damage would an attack do to the business.
For example, spear phishing is a typical use case that we receive when clients are trying to answer this question. Eventually, someone will fall into the phishing trap, so what would the damage be? Blocking spear phishing is very important but it does not provide us with all the answers. (To know more about how cyber deception can block targeted spear phishing campaigns, have a look at this post) that takes spear phishing intel gathering to another level).
Cyber deception gives our clients a secure space away from their real production infrastructure to see what the attacker does. Also, CounterCraft’s platform allows a multilayered environment to see how far the attacker would be willing to go and what tools and procedures they are using against us.
As a result, you have the hard data to answer the question, giving you the support to build the business case for further resources, if needed, to mitigate the risk.
Can we find out when an attacker is targeting us before they get anywhere close to breaching our system?
I admit this question only comes from the more proactive minds, and it is not as widely spread as I would like it to be. But let’s talk about it, because I believe it gives you an advantage that was not possible before.
Why wait until the attacker is already in your perimeter? Why not find out if you are being targeted as an organization before the breach happens? This threat intelligence specific to your organization gives you the opportunity to get your cyber defenses ready to mitigate the attack. It is about moving the kill chain to the left, towards the reconnaissance and pre-breach activities of the attacker.
What is also great about this use case of cyber deception is that it is deployed externally to your organization, which means that it doesn’t touch your infrastructure. As a result, it has zero friction for deployment, and needs very little technical input from your side, and can be deployed very quickly.
These are some of the questions your peers are asking the most. Have you asked them yourself?
I’m sure you can relate to some of their concerns. I hope you use this overview of what others are trying to achieve with deception to strengthen your own cybersecurity posture.
If you have any questions about if we could help you with your particular case, do not hesitate to reach out to one of our experts in cyber deception and they will be able to guide you.
Author: Marta Fernandez, UK Channel Manager