Intelligent CISO Issue 13 | Page 68

decrypting myths prevent attackers from leaving backdoors and facilitating an easy return. Threat actors start with an upper- hand since they control the time to plan and initiate their attacks. The victims must then instantly respond to defend themselves, often with minimal knowledge to react. However, by taking a page out of a cybercriminal’s handbook, organisations do not have to be stuck in the role of a passive target. Many of the same techniques routinely used in cyberattacks can be reversed to trick adversaries into not only revealing their presence, but also giving away their secrets. Fighting deception with deception Much like the use of deceptive manoeuvres and decoy targets throughout military history, organisations can create a deception fabric to confuse and fool attackers into making mistakes. When decoys are well constructed, the adversary will have an extremely difficult and time-consuming job trying to decipher real from fake. This not only efficiently diverts them away from the real target, but will also cause them to play their hand, revealing clues about their intent and identity. There are a number of key factors that will determine a decoy network’s ability to reliably trick and disrupt adversaries. The first step is to make it an attractive target which gives every sign of being genuine. It needs to mirror-match the production environment, running the same operating systems and services, and demonstrating the same network characteristics. Additionally, it also needs to encompass all attack surfaces such as user networks, endpoints, cloud, infrastructure, IoT and ICS-SCADA, among others. Alongside this, the deceptive solution must also be easy for the organisation to deploy and operate, with a high degree of automation. Value will also be 68 Carolyn Crandall, Chief Deception Officer at Attivo Networks found in the high fidelity, engagement- based alerts which security teams can efficiently respond to. Collectively, these innovations keep operational overhead to a minimum, even at scale. The principle of decoy networks has previously been seen in the form of honeypots. However, given their operational complexity, their use is primarily for research. These are typically placed outside of the real network to discover who is targeting the organisation and for intelligence on attacker techniques. Honeypots were not designed for the detection of sophisticated attackers or for scalability, which dramatically limited their deployment and usefulness. The development of modern, commercial-grade deception technology emphasises scalability, authenticity and a high degree of automation, enabling it to be easily deployed and operated across everything from user networks to cloud data centres to specialised operational technology environments. Falling into the trap Older honeypots do not hold up to close inspection and are generally only effective at gathering intelligence on low-level attackers, particularly those using automated bots to scan for potential targets. Newer deception technology platforms also take deception further by incorporating deceptive credentials, mapped drives and other lures placed on endpoint devices to entice the attacker into taking bait and revealing themselves. The presence of deception networks and endpoint lures make it far more difficult for an attacker to navigate the network as they are unable to tell the difference between real assets and elaborate fakes. Even the simplest error can land them in a decoy network and force the restart of their attack. This provides an extremely effective and useful additional layer of defence against intruders who have managed to infiltrate the network. Every second counts during a cyberattack and the maze of traps and Issue 13 |