It’s pretty common to think about security as a whole, to think about it as a uniform process where all the information needs to be safeguarded. It’s true that you have to protect all your infrastructure and data, but it’s also true that not all your information is equally sensitive.
There are probably some assets that require extra attention, some that pose a bigger risk in case they are compromised. It makes sense then to make more of an effort in order to protect what can do the biggest damage.
“Assume Breach” and “Zero Trust Security” approaches can help detect movements from endpoints that are easier to compromise in your network to high value network assets. But, is this enough? Why not use the knowledge about your assets and network, information that your adversaries don’t have, to build a more resilient security architecture?
Each organisation is different, and adversaries don’t know what they are going to face when compromising a victim, but you know what you have, what is the most relevant information, and how you pivot there from anywhere else in the company.
Let’s think about this with an actual example. You have probably heard about APT groups targeting companies working on COVID19 vaccine development. If you read the NCSC’s (UK National Cyber Security Center) mitigation recommendations, prevention and detection of lateral movement is recommended, and following its Guidance for Preventing Lateral Movement in Enterprise Networks, the usage of honeypots should be considered.
Let’s see how this applies with a simple example.
Cyber Deception for New Defensive Measures
Let’s design a small laboratory environment. This small research environment will consist of two Windows workstations used by your two employees, and one file server where data will be stored. In this setup, will it be difficult to enhance the level of security protection? No, it will be really easy. Cyber deception will help in this situation, giving us the tools to add new defensive measures based on what we know.
So what would our deception environment consist of? Let’s separate the most common deception assets into three categories and give some simple examples of each.
1. Deploying Decoy Systems
Decoy systems can be deployed with the same OS and same configuration as the workstations used by the employees. Decoy systems can also be a new file server. Take into account that attackers don’t know how things should look. Everything will appear to be legitimate, but once they interact with the deception host, alerts will pop up. It’s up to you to decide what the next steps will be, from shutting down the servers to analyzing the attackers’ modus operandi.
2. Planting Fake Files
In this case, the strategic objective of the attacker is to steal data. How can this be used to our advantage? By implanting fake files. Any access to these files can raise an alarm and any misleading information we place inside the files can confuse the attackers once they read it.
Fake files can also contain information that can be uniquely identified, and which, if accessed by attackers, can be used as proof of the information being stolen. Even a simple action such as the opening of specially crafted files could send information about the attackers. Attackers are keen to conceal this type of information.
3. Planting Fake Information
The last category is about planting information in the systems. This information can be related to the infrastructure, which can be modified and extended based on your needs. Some examples of this could be creating fake accounts or real accounts in servers that should not have them, or giving access to the users to more deception services. As we said before, we have the advantage to be the only ones to know what is real in a production account and what is not.
Turn the Tables on your Adversaries Using your Knowledge About your Assets
In the real world we will come across more complex networked environments. But that doesn’t mean that implementing cyber deception will be more complicated. We should always take advantage of this complexity, because we are aware of it and the adversary is not, and we will be able to identify the right places to deploy our decoy assets.
It’s the same situation as when a burglar breaks into a house and has to choose between two identical doors. One can have the cops waiting behind it, and the other can bring him to a corridor with more doors to choose. When the burglar isn’t even sure about what can possibly be behind the doors, it is not easy to choose the correct path.
In summary, don’t just install traditional security controls where you try to stop everything in a generic manner. Use your knowledge about your assets to your benefit. Create a well-mined battlefield that the attacker won’t be able to blindly bypass. You decide where to put the mines, what is the most plausible path the attacker will follow, and where you want to divert him to.
If you’re ready to take control of your cybersecurity, CounterCraft can help you customize your defenses based on your needs and knowledge.
Author: Mikel Gastesi, Senior Threat Analyst