Distributed Deception Platforms are a hot topic today. Most CISOs are thinking of implementing deception technology or road-mapping it into their evaluations and budgets. The promises sound great:
- Full kill-chain coverage with low false positives
- Deep visibility across endpoints and VLANs
- Lateral movement / privilege escalation detection of humans and malware
Unfortunately, due to the unique secretive nature of deception (after all, you may not want people to know about it), there’s precious little information on how a security team can implement deception tecnology successfully and make it useful.
If you’re being pushed to power-up a sleek appliance and kiss your cybersecurity woes goodbye, don’t believe the marketing hype — that’s not going to happen.
After implementing deception technology campaigns for the better part of a decade, we’ve compiled a list of the 7 deadly sins that will guarantee that your deception investment will disappoint you. Here we go:
1. You’re Not Sure What You’re Protecting
It’s quite obvious that for a deception technology deployment to be successful, you need an objective and a strategy. At a minimum, make sure you know what assets you’re trying to protect (they’re not all equal to the hacker). The best deception campaigns are extremely goal-oriented (e.g.: “Catch targeted attacks against my SWIFT servers, especially focused on breaches from third-party networks.”).
The Fix: Make a list of your top 3 nightmare scenarios, and identify the assets (endpoints / servers / people / credentials / network zones) that are a part of those nightmares.
2. You Don’t Know Your Enemy
There’s a reason some of the best deception specialists moonlight as threat hunters or red-teamers. Deception is an ‘active defence‘ capability — where deep knowledge of the attacker’s modus operandi is crucial. Knowing the critical paths an attacker will follow will massively boost the effectiveness of your deception capabilities.
The Fix: Have your in-house / external red-team build attack trees to the assets you’ve identified at risk. Train your blue-team on how to think adversarially.
3. You’re Not Prepared for Deception Alerts
One of the best things about deception technology is that the alerts are low false positive and real-time. That’s great, but when the metaphorical (or literal) phone rings, do you have a plan for how to respond? The attacker is very likely still ‘live and squirming’ on your infrastructure. This leads to interesting new opportunities and questions:
- Should you watch what they’re doing and learn more, or do you want to immediately contain?
- How are you handling forensics? Live or dead?
- Can you use the IOCs immediately to dimension the scope of the breach?
- Is there an opportunity for useful attacker attribution with more targeted deception?
The Fix: Have a specific set of incident response play-books for responding to deception alerts. War-game the scenarios end-to-end, ideally without your DFIR / blue-team being aware. Start basic and build a roadmap to advanced deception use cases.
4. You Haven’t Tested Your Deception Strategy
Confident and experienced deception specialists will encourage (even insist) that you test the deception realism in your environment after you implement it. Not only does this validate that the deception is ‘working’ to meet your business objectives, but it will give you useful metrics like time-to-decieve, deception engagement time, coverage, and kill-chain hit ratios.
The Fix: Blind test the strategy underlying your deception technology deployment. See how ‘real’ your simulated adversary believes the decoys are. Did you miss something? This is worth doing regularly.
5. Your Deception is Not Customised
The best way to increase deception engagement time is to customise the decoys to your environment. There are a number of nifty tricks here (our MirageMaker feature does a lot of this for you), but never underestimate the power of human ingenuity.
The Fix: Find the most devious folks in your infosec team and brainstorm how you can decieve, degrade, deny, disrupt, and dazzle an attacker even better. You want your deception to maximise the economic burden to the attacker in terms of time, effort, and cognitive load.
6. You Don’t Know the ‘Deception Trifecta’
Well planned deception systems unify three perspectives to quickly arrive at the root cause of an incident:
- What is happening? (decoy telemetry)
- How is it happening? (endpoint forensics)
- Where else is it happening? (estate integrations / correlation)
We call this the ‘deception trifecta’, and your entire strategy must be built around it.
The Fix: Study the deception trifecta and determine how weak or strong you are on each side. Improve visibility, collection, and analysis speed for each perspective. Ensure supporting systems can flesh out context when deception systems alert you (e.g. do you have an updated asset inventory?)
7. Your Deception Provider Doesn’t ‘Get’ Strategy
Remember IDS? DLP? NAC? cough SIEM cough?
The success of cybersecurity technologies is pretty binary: Either they’re well implemented by people who knew how to do it right, or far more often, they’re a mess of false promises and mismatched expectations. If you’re just being sold a box, AMC, and product training, there’s a lot missing. Sure, you might make it work, but the onus should be on the vendor to ensure you operationalise deception capabilities and see success for stuff that matters to you (we do this for every customer, big or small).
The Fix: Talk to your provider to understand the depth of their knowledge on deception technology deployments, adversarial thinking, and most importantly, how they’ll make it all work for you. Get into specifics. Speak to their people. Hint: if their title says ‘Sales’… well… caveat emptor 🙂
In Summary – How To Get It Right
- Identify what will hurt you, and where those assets reside
- Know how your enemy will likely traverse your environment
- Create a tactical plan for handling deception alerts
- Blind test your deception strategy regularly
- Customise your deception environment ‘by hand’
- Know the ‘Deception Trifecta’ and improve how you use it
- Choose a provider who will build a capability, not sell a box
Deception technology is more than just a new way to detect lateral movement, privilege escalation, ransomware, data-theft or solve any other current cybersecurity woes. It’s a fundamentally different way of thinking about how you defend your organisation, irrespective of shiny boxes (ours or anybody else’s)!
Avoid the mistakes above, and your security team will really see the benefits behind the hype. We have customers that now use deception as their ‘concertmaster‘ — the single most important pillar in their security stack, with everything else supporting it.
At Smokescreen, we believe we’ve solved these problems through our technology, support, and experience. If you’d like to learn more about how we think it should be done, get in touch for a chat with our specialists!
If you’re in the process of evaluating deception technology vendors, read our blog post on 10 questions you need to ask them or download our guide that dives deep into capabilities that make for a great deception solution.
Using deception to shield the insurance sectorInsurance companies are under siege from cyberattacks. We take a look at some of the key pieces of an insurer’s infrastructure the adversaries target and how you can use deception to build active defenses.By Sudarshan Pisupati
Finding active defense opportunities in a pentest reportPentest reports tell a story. By asking why a pentester made certain choices, you can find opportunities to influence attacker behavior and actively defend your network.By Sudarshan Pisupati
Four MITRE Shield Techniques You Can Implement in 2021For free, of course. At this point, I’m positive that you’ve heard of MITRE Shield. It’s a new active defense knowledge base released by MITRE – stuff they’ve been implementing for over a decade to engage adversaries and derail attacks. They’ve opened it up to everyone, and for the first time perhaps, the infosec community […]By Sudarshan Pisupati
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours