You don’t know what you don’t know…but what if you could?
When I joined CounterCraft a few years ago now, a good colleague of mine helped me to understand the value of cyber deception by using a very simple analogy about a chicken farm. Today, I would like to share it with you to give you a new perspective into how cyber deception could be useful for you in your goal to build a more resilient cyber security for your organization. So, sit back, it’s time to bring a bit of storytelling to the cybersecurity world!
The Chicken Farm
We can compare the infrastructure we have to protect to a chicken farm where the goal is to keep the chickens safe from threats, from foxes to vengeful neighbors. To achieve that goal, the farmer has set up different mechanisms of defense, such as a fence to stop the fox from getting inside the chicken pen.
But despite his efforts to protect the chickens, the farmer has noticed that, every now and then, a few chickens disappear. How can that be if there is no apparent damage to the fence or any other mechanisms?
The first possible solution for our farmer is setting up more sophisticated techniques that other farmers seem to have adopted in the nearby farms. But that would result in spending quite a lot of time and money when he doesn’t know if it will solve the problem. He needs to see what is really going on to target the problem effectively with minimum resources.
So the farmer decides to implement deception techniques, creating a chicken pen that looks and feels like the real chicken pen (he doesn’t want to put the real chickens at risk or modify the current infrastructure).
The “fake” chicken pen will have a detection piece that will alert the farmer if triggered and monitoring tools to have visibility into what is happening.
When the threat triggered the detection alarm, the farmer of our story could see that it was, effectively, a fox that was stealing as many chickens as it could carry at night. But the most interesting thing that the farmer discovered was that the way the fox was getting inside the chicken pen was by jumping on a barrel left by employees near the fence. So the solution was cheap! He just had to move that barrel somewhere else. No need for more sophisticated fences.
Next, he’ll try the same technique to understand why there is chicken food missing. Is it the same fox? Or someone working inside? We don’t know yet…
The Moral of Our Story
Like the farmer of our story, you might have cybersecurity mechanisms in place to protect your organization, but we all know that 100% security doesn’t exist. There is always going to be a threat actor – a fox – that might manage to trespass the perimeter and harm your organization.
Like the farmer, you might have suspicions about where potential attacks are coming from or what areas of your organization are more vulnerable and need that extra layer of security. But, as for all of us, resources are limited and spending based on a theory might not be the most effective way to tackle the problem. So let’s use deception to gather quantitative and qualitative intelligence to support your theory and business case to solve the problem.
In the story, the outcome is ideal—that the problem is easy to solve and the solution is low cost. Interestingly, though, that is something we have actually found to be true with many of our clients. The visibility that deception gives you on how the attacker is operating gives you a much shorter route to the solution in many cases.
And finally, as with the protagonist of our story, deception can be used in parallel in multiple environments inside and outside your organization. It is not biased towards the type of attack, and it can be used in infrastructures where traditional security solutions don’t work, often the most effective way to protect them.
So, Why Deception?
- Use deception to gain time and deflect your attackers away from your real infrastructure.
- Use deception to gather actionable threat intelligence to mitigate the risk of threat actors being successful.
- Use deception to gather the data and proof points you need to build your business case to present to the board.
- Use deception to protect environments that can’t be protected with traditional security solutions.