Fidelis Security
Deception Technology
What is Deception Technology?
Deception technology is the practice of creating false digital indicators to mislead others about one’s true intentions or capabilities. It has gained increasing recognition as a critical component in the cyber defender’s toolkit. Deception can be used to redirect an adversary’s attention, mislead them about your own operations, or provoke them into making mistakes that reveal their presence or reduce their effectiveness. The deception techniques and tools have been used by the military for centuries; both on the battlefield and behind enemy lines. The word ‘deceive’ means misleading someone to believe something that is not true, with an intention to do so. Deception is also known as trickery, guile, cobENDING, ruses, feints – all methods of concealing one’s intentions while gaining an advantage over an opponent.
Cyber deception is a way of creating the impression that one is doing something other than what they are actually doing. It can be used to mislead an adversary, including hackers, into believing that you are in one place when you are in another or that your defences are stronger than they actually are. Deception is about tricking your adversaries and misleading them about your operations and intentions. For example, if you were betting on this football game and wanted to create the impression that you were not confident in a team’s ability then you might create fake social media posts showing a lack of confidence in the team. You could also use deception to make it seem as though your operations were more widespread than they really were. Fighting against deceptive strategies requires determining what information may have been manipulated, identifying potential sources of deception by using intelligence, analysing indicators for deception, maintaining situational awareness and understanding how deceptive actions may increase vulnerabilities.
Deception is an essential component of cyber defenders’ toolkit. In the digital realm, a defender’s objective is to make an attacker believe that their environment is vulnerable when it is not, or that they have obtained data when they have actually obtained nothing more than false information. Attackers are always searching for vulnerabilities in systems and networks to exploit. They use tools and techniques to identify computers with open ports, unprotected services, and susceptible users. When attackers find a vulnerability, they may launch an attack to gain access to the system and install malware that can steal data or remain undetected for long periods of time. Deception technologies provide defenders with the opportunity to divert attackers from their objectives by making them believe that their efforts were successful in compromising systems or accessing data. By utilising deception technologies as part of their security strategy, organisations can reduce the odds of being compromised by providing attackers with false indicators of success.
The practice of deception is not just limited to the military, it can also be used for cyber defenders. Deception technology is the practice of creating false digital indicators to mislead others about one’s true intentions or capabilities. There are many ways that this is used. The military has been using this technique for centuries, both on the battlefield and behind enemy lines. One way they have been able to do this is by using fake targets. Achieving operational objectives without revealing one’s presence and reducing the effectiveness of an adversary, thus preventing them from accomplishing their objectives – these strategies are known as ‘operational deception’. Military personnel create deceptive indicators to prevent them from being detected and/or killed before achieving their objective.
Security has emerged in recent years as the number one priority for IT leaders around the world. What was traditionally seen as a simple component of an organisation’s infrastructure – throwing a firewall and antivirus solution down to ensure that the compliance box is ticked – has evolved into something that keeps CSOs, CIOs and even CEOs awake at night. It has also triggered the creation of a huge industry – Cyber Security Solutions – as hordes of vendors compete to be seen as possessing the most competent solutions in the fight against hackers and cybercriminals. But no matter how much these companies profess to offer the latest ‘next-generation’ security products, the rate of cyber casualties shows no sign of slowing – if anything, the opposite is true.
There is a constant arms race where the attackers look to circumvent the security solutions that companies put in place, and the vendors of those solutions look to improve the security of their solutions. The worrying reality is that the high-profile victims of cyber-attacks are indeed adopting the very solutions the industry seems to scaremonger them into buying. So, are the vendors losing this battle? ‘It’s becoming more apparent and widely accepted that point or stand-alone security solutions, next-generation or otherwise, simply aren’t enough to protect against the sophisticated multi-vector attacks faced.
However, the problem in many cases is not the technology itself but how that technology is applied, installed, and managed. In many cases, the breaches were due to poor management of the security technology, such as missing software and security patches, misconfigured security software, weak passwords, or security systems not being monitored to detect attacks.
True Cyber security visibility is not just focusing on inbound traffic, but outbound and Lateral movement. Lateral movement refers to the techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past.
Lateral movement allows a threat actor to avoid detection and retain access, even if discovered on the machine that was first infected. And with a protracted dwell time, data theft might not occur until weeks or even months after the original breach. After gaining initial access to an endpoint, such as through a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached. Attaining that objective involves gathering information about multiple systems and accounts, obtaining credentials, escalating privileges, and ultimately gaining access to the identified payload.
There are three main stages of lateral movement: reconnaissance, credential/privilege gathering, and gaining access to other computers in the network.
During reconnaissance, the attacker observes, explores, and maps the network, its users, and devices. This map allows the intruder to understand host naming conventions and network hierarchies, identify operating systems, locate potential payloads, and acquire intelligence to make informed moves.
Here are some of the built-in tools that can be used during reconnaissance:
- Netstat shows the machine’s current network connections. This can be used for identifying critical assets or for gaining knowledge about the network.
- IPConfig/IFConfig provides access to the network configuration and location information.
- ARP cache gives information about the IP address to physical address. This information can be used to target individual machines inside the network.
- The Local Routing table displays current communication paths for the connected host.
- PowerShell, a powerful command line and scripting tool, allows quick identification of network systems to which the current user has local admin access.
The above tools are just a few functions that attackers can use in the reconnaissance phase.
To move through a network, an attacker needs valid login credentials. One way to obtain these credentials is to trick users into sharing them by using social engineering tactics such as typo-squatting and phishing attacks. Here are some of the technics used:
- Pass the Hash is a method of authenticating without having access to the user’s password. This technique bypasses standard authentication steps by capturing valid password hashes that once authenticated allow the attacker to perform actions on local or remote systems.
- Pass the Ticket is a way of authenticating using Kerberos tickets. An intruder that has compromised a domain controller can generate a Kerberos “golden ticket” offline that remains valid indefinitely and can be used to impersonate any account, even after a password reset.
- Tools like Mimikatz are used to steal cached plaintext passwords or authentication certificates from the memory of a compromised machine. They can then be used to authenticate to other machines.
- Keylogging tools allow the attacker to capture passwords directly when an unsuspecting user enters them via the keyboard.
And the last phase is to gain access, by performing internal reconnaissance and then bypassing security controls to compromise successive hosts can be repeated until the target data has been found and exfiltrated.
The above actions can be seen if the company is monitoring their internal network for this type of lateral movement. Please let us introduce you to the missing piece of the puzzle to complete the true network visibility service.
Deception Technology is a category of cyber security defence. Deception Technology products can detect, analyse, and defend against zero-day and advanced attacks, often in real-time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defence. Deception technology enables a more proactive security posture by seeking to deceive the attackers, detect them and then defeat them, allowing the enterprise to return to normal operations.
Existing defence-in-depth cyber technologies have struggled against the increasing wave of sophisticated and persistent human attackers. These technologies seek primarily to defend a perimeter, but both firewalls and endpoint security cannot defend a perimeter with 100% certainty. Cyber-attackers can penetrate these networks and move unimpeded for months, stealing data and intellectual property. Heuristics may find an attacker within the network, but often generate so many alerts that critical alerts are missed. Since 2014, attacks have accelerated and there is evidence that cyber-attackers are penetrating traditional defences at a rapidly increasing rate.
Deception Technology considers the human attacker’s point of view and method for exploiting and navigating networks to identify and exfiltrate data. It integrates with existing technologies to provide new visibility into the internal networks, share high probability alerts and threat intelligence with the existing infrastructure.
Upon penetrating the network, attackers seek to establish a backdoor and then use this to identify and exfiltrate data and intellectual property. They begin moving laterally through the internal VLANs and almost immediately will “look at” one of the interactive decoys and breadcrumbs. Interacting with one of these “decoys” will trigger an alert. These alerts are very high probability and almost always coincide with an ongoing attack. The deception is designed to lure the attacker in – the attacker may consider this a worthy asset and continue by injecting malware. Deception technology allows for automated static and dynamic analysis of this injected malware and provides these reports through automation to the security operations personnel.
To learn more about this technology please either download this whitepaper.
or speak to a member of the Wise Sales Team. We don’t sell direct but can give manufacturers sales retail price and what reseller partners we work with that can give a formal quote.
Deception technology is the practice of creating false digital indicators to mislead others about one’s true intentions or capabilities. It has gained increasing recognition as a critical component in the cyber defender’s toolkit. Deception can be used to redirect an adversary’s attention, mislead them about your own operations, or provoke them into making mistakes that reveal their presence or reduce their effectiveness. The deception techniques and tools have been used by the military for centuries; both on the battlefield and behind enemy lines.