Today information security (infosec) and cybersecurity are quickly becoming a top priority for organizations. As it should—there are an estimated 200 Advanced Persistent Threat (APT) groups globally, with new ones popping up every day. From script kiddies to sophisticated technical experts, backed by foreign nations looking to disrupt our way of life for political gain or cybercriminals attacking organizations for monetary gains. In fact, per Accenture, in 2019 the average cost of cybercrime for organizations was $13 million.
Recently, the National Institute of Standards and Technology (NIST) has highlighted deception in several documents as an important part of cybersecurity.
The last year has shown us that as a whole we are still very vulnerable to cybersecurity attacks and breaches. Several notable attacks occurred, the most impactful in the US being the following:
- SolarWinds Attack
- Colonial Pipeline
- JBS, the world’s largest meatpacking company
These attacks and many others, both disclosed and undisclosed to the public, prompted the industry and the federal government to take action. Now we see a push to incorporate the Zero Trust methodology across the board in all organizations, a cry for widespread multifactor authentication, new standards created like the Cybersecurity Maturity Model Certification (CMMC), and Executive Orders on Improving the Nation’s Cybersecurity.
NIST sketches out the purpose and benefits of deploying deception technology and taking a proactive cybersecurity stance in the following Special Publications:
- NIST Special Publication 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information
- NIST Special Publication 800-160 Volume 2 – Developing Cyber Resilient Systems: A Systems Security Engineering Approach
All of these measures are a step in the right direction. In 2010, Gartner released the CARTA Framework as part of their Adaptive Security Architecture. This Framework covers five main principles:
- PREDICT
- PREVENT
- REACT
- DETECT
- VISIBILITY
Most organizations have made significant investments in best-of-breed, Tier 1 solutions addressing REACT and DETECT. However, when it comes to PREDICT and PREVENT there are clear gaps. This is because most organizations concentrate on reacting to cybersecurity threats, instead of being proactive in their defense against breaches.
Let’s take a look at what has been outlined in the NIST Special Publications for some insight into how deception can help.
Excerpts from the above NIST Special Publications about deception technology state that deception:
“wastes” adversary’s time and resources:
- “Active deception can divert adversary activities, causing the adversary to waste resources and reveal TTPs, intent, and targeting.”
lowers the adversary’s efficacy and own ability to gather intel:
- “Deception and unpredictability are intended to increase the adversaries’ uncertainty about the system’s structure and behavior, what effects an adversary might be able to achieve, and what actions cyber defenders might take in response to suspected malicious cyber-related activities.”
stop the adversary in the middle of the cyber kill chain, buying a defender time to react:
- “Deception is used to confuse and mislead adversaries regarding the information that the adversaries use for decision-making, the value, and authenticity of the information that the adversaries attempt to exfiltrate, or the environment in which the adversaries desire or need to operate. Such actions can impede the adversary’s ability to conduct meaningful reconnaissance of the targeted organization, delay or degrade an adversary’s ability to move laterally through a system or from one system to another system, divert the adversary away from systems or system components containing CUI, and increase observability of the adversary to the defender—revealing the presence of the adversary along with its TTPs. Misdirection can be achieved through deception environments (e.g., deception nets), which provide virtual sandboxes into which malicious code can be diverted and adversary TTP can be safely examined.”
It’s a known fact that once a bad actor/adversary penetrates an organization’s network they typically go unnoticed for ~90+ days before the often overwhelmed cybersecurity team is aware of their presence.
This means the adversary was able to successfully go through each stage of the kill chain: Gather Intelligence>Initial Compromise>Lateral Movement>Action on the Objective>Complete Mission.
Not only do organizations have to contend with external threats — internal threats both malicious and unintentional can have devastating effects. So, what’s the answer? How can organizations shore up their defenses and protect themselves from the multitude of cybersecurity threats they face daily?
While there is no magic bullet when it comes to cybersecurity, organizations must change their mindset from reacting to threats to one of being proactive.
This is where deception technology comes into play. Simply put, deception technology is a proactive cybersecurity approach. It is designed to lure bad actors and adversaries (whether they be internal or external to your organization) away from your valuable production assets over to a confined environment that essentially mirrors your production environment. In this deception environment, your cybersecurity team can safely monitor and track their activities, and, more importantly, gather valuable telemetry such as TTPs and IOCs (actionable threat intelligence). With this valuable intel, informed decisions can be made on how to remediate the threat as well as shore up production defenses.
Again, there is no magic bullet when it comes to cybersecurity. A mature cybersecurity approach involves best-of-breed cybersecurity tools, training, integration, established SOPs + SLAs, and collaboration. It also involves taking a proactive stance instead of being reactive.
By deploying deception technology an organization now becomes the hunter instead of the hunted. They can proactively defend against various cybersecurity threats and understand:
- Who is the adversary?
- What do they want?
- What have they been able to do?
- What are they going to do next?
This allows organizations to achieve the end goal, which is to prevent damage to production systems by being better informed and prepared.
Shunta Sharod Sanders, the Lead Senior Solutions Architect at CounterCraft, specializes in offensive and defensive cybersecurity technologies and is a recognized Data Storage Technology Subject Matter Expert by SNIA and CompTIA. Shunta currently leads all technical Presales activities in North America at CounterCraft. Where he works to help organizations eliminate data breaches from insider threats and external hacking attacks by taking a proactive cybersecurity stance utilizing Deception Technology. You can find Shunta here on LinkedIn.