Our Adversaries Have No Trust Issues: A Case for Cyber Deception
Our industry constantly stresses the need to adopt zero trust architectures; yet the use of cyber deception as a tool of this architecture is rarely mentioned. The industry needs to see deception as a defense-in-depth detection tool and not only a threat intelligence collector.
Among the 14 techniques for withstanding and recovering from cyberattacks listed in Developing Cyber-Resilient Systems: A Systems Security Engineering Approach (NIST SP 800-160, Vol. 2), deception and unpredictability stand out as “specific to adversarial threats”. Cyber resilience is not only about prevention; it’s also about withstanding and adapting to cyberattacks.
Advanced persistent threat (APT) actors, or nation-state adversaries, fight us in cyberspace with every tactic they have, including deception. For hundreds of years, deception has been an element of warfare across land, air and maritime domains. The U.S. Department of Defense has recognized cyberspace as an operational domain since 2004, but deception has not been broadly adopted in cyberspace.
If cyber defenders do not engage in deception themselves, we enable our cyber adversaries to operate with velocity and stealth. An interview in a 2019 Forbes article speculated that China baited the NSA with decoy machines that detected NSA presence and captured powerful NSA tools, that in turn were used against the U.S. Being able to stay in a fight is all about resiliency. With defensive cyber deception, cyber warriors have resiliency built into the cyber terrain.
History of Cyber Deception
Despite the availability of the alternative term “decoy,” the term “honeypot” is still used to describe cyber deception efforts, and it has been in use for research and attribution purposes since the 1980s. For the first 30 years, building honeypots was a labor and time intensive process for defenders and researchers, primarily because giving the threat actors a new decoy environment meant rebuilding the honeypot. Even though they yielded information through safe observations, building a new “playground” for the APT actors was arduous and took time from other responsibilities.
The 2010s brought the development of commercially developed defensive cyber deception platforms that enabled the easy maintenance and distribution of honeypots and added the concept of honeytokens, also known as breadcrumbs or lures, on production devices. There has been an evolution beyond honeytokens to include honey documents and living-off-the-land (LOTL) deception, false responses to system, identity and network reconnaissance. The increased sophistication of deceptive cyber technology helps defenders frustrate and deter the APT actors.
Advantage to the Defenders
Unless APT actors are lucky enough to gain initial access on their exact target with a 0-day exploit or a phishing e-mail, they must perform reconnaissance from “patient zero,” the initial compromised system or user, as their next step. Either through system, identity or network reconnaissance, APT actors need to gather information on the cyberspace terrain they have landed in to progress their attack. The latest cyber threat reports from the industry shows attackers are not using malicious programs, but rather hands on keyboard or LOTL tactics to progress their attacks in stealth.
The advancements made in modern day cyber deception platforms bring confusion, distrust, and more importantly, pain to our adversaries. Through the pain of detection, they are forced to modify their tools, tactics, techniques and procedures (TTPs). I have been lucky and proud as a defender to see the moment APT actors realized their network reconnaissance or active directory reconnaissance has given away their presence. Once they realized, the APT actors were faced with a decision to withdraw, because the environment is too hard to maneuver in, or to stay but slow their efforts due to lack of confidence in the cyber terrain.
For the cyber defender, deception reduces the “fog of war” because deception platforms do not flood security information and event management (SIEM) dashboards with events that need to be triaged. Deception events are immediately actionable.
It's a Balancing Act
As cyber defenders, we are taught that defending our networks is not just technology, but rather people, process and technology. An out of synch set of people, processes and technology makes the job of defending immeasurably harder.
Some organizations react to major breaches by sending even more logs. This approach might not overwhelm the existing technology or the budget for the technology; however, it will certainly overwhelm the human analyst. As defenders we need to ask ourselves: Did the extra logs increase detection capabilities or the fog of war?
Recent bulletins from The Five Eyes point out that APT actors are very aware that defenders rely on untuned endpoint detection and response (EDR), which may or may not alert to LOTL activity. EDR does capture all actions from an endpoint, and the telemetry captured can be used for threat-hunting or incident response. However, telemetry is not an alert. Just like SIEMs, EDR tuning to create an alert requires a perfect correlation rule to be written with the assumption that the APTs will use the exact same TTPs again.
Defensive cyber deception does not burden defenders with writing the perfect correlation rule for a constantly evolving threat.
Forward with Leidos
For those familiar with land and maritime operations, the use of defensive cyber deception is like a fake minefield. APT actors may not immediately step on a “mine,” but thinking they might will slow their advance because they do not trust the terrain.
The Leidos approach to defensive cyber deception enhances cyber resilience through the detection of adversarial LOTL techniques without the need for signature or correlation rules. Leidos is a force multiplier, providing SOC analysts with high-fidelity and actionable events, allowing them to focus their talents where they matter and accelerating their response, with the goal of withstanding and adapting to the constant attacks against their environments.
Defending against APT actors requires resilience. With targeted defensive cyber deception with Leidos, defenders can take a stand against the APT actors.
