Traps and tripwires

Denis Makrushin, Kaspersky

How best to protect your organisation? Here are some pointers.

A cyberattacker determined to breach your IT defences will do whatever they can to succeed. They’ll come at you with sophisticated malware and a detailed knowledge of your business, trying to bypass your security measures by sneaking in via an infected email attachment, malicious web-link, compromised web-site or USB stick opened by an unsuspecting employee. They may lie dormant in your systems for months, but one day they will strike, unleashing cyber-espionage tools designed to seek out and steal your most precious and confidential information. Whether any of this effort gets them anywhere is another question.
Companies now realise that securing every endpoint, network and system is still critical, however is unlikely to be enough on its own. Certainly, not against an advanced targeted attacker. Welcome to the brave new world of anti-targeted attack solutions and threat deception. Anti-targeted attack solutions are embedded deep in your IT operations and can monitor and detect even the slightest anomaly in daily workflow. Such solutions sit at the heart of a new approach to cyber-defence, one that regards security as a continuous process. Threat deception complements this approach, adding a new strategy to the fight against targeted attacks.
Threat deception involves adapting your internal IT in such a way that attackers are never quite sure whether what they are looking at is real. It includes the use of decoys (credentials, documents, servers, networks, for example), placed at strategic points in the network, and carrying false information to confuse and trap attackers. The main purpose is to distract the attacker from the genuine information.
These decoys have a tripwire that triggers the security alarm as soon as they are accessed, so that attackers can be contained and neutralised, or sent off on a fruitless journey through the network. With every step they reveal valuable intelligence about their intentions and, together with your other security solutions, the compromised points in your business processes.
Gartner estimates that one in ten businesses will have adopted threat deception techniques by 2018, with numbers set to rise further into the next decade as business awareness improves and the technology evolves.
False flags

The approach of deceiving opponents into thinking you’re something or somewhere you’re not is one of the oldest military tricks in the book. Lures and decoys have been used in conflicts throughout history to distract, delay or confuse the enemy, often with great success. Cyberattackers have embraced the opportunities – for example, by planting ‘false flags’ in their malware code to muddy the waters of attribution.

The most basic implementation of cyber deception is the use of a classic ‘honeypot’, which, in most cases, involves isolated traps often outside the main infrastructure with its sensitive data. Honeypots have been used in cybersecurity since about 1990. However, attackers have learned how to spot – and avoid – such traps and even how to use them as a way to break into the network. The emerging approach of threat deception is taking defensive subterfuge to a whole new level.

Organisations sometimes don’t realise they, or their partners and contractors, have been compromised until days or even months after it has happened; unaware that attackers are inside their network helping themselves to their intellectual property, financial records, confidential communications, encrypted information and contacts.

Decoy document

A threat deception strategy can be implemented on many levels, with false or misleading components installed on various levels such as networks, endpoints, applications, documents, or even records in databases. None of them should get in the way of day-to-day operational needs.
The following scenario is an example of how it might work: upon breaching the perimeter, cyberattackers tend to deploy their malware tools on an endpoint – such as a computer – to extract credentials during an active session of the operating system. Through threat deception they could receive fake credentials. Then, when they try to use these credentials on other network resources, the organisation will be able to monitor their appearance and movement in the network, control and mitigate the attack.
Or, if the attackers make it as far as the data – either without detection or detected-but-contained, and under surveillance – they could find themselves capturing a tagged decoy document where they expect the confidential goodies to be, such as on a computer belonging to the CEO. They have no way of telling the difference.
The key is to understand your network, and the systems or data of greatest potential interest to an attacker. Then set your traps in these areas. As soon as the attacker strikes, the alarm is triggered and their cover is blown. They can then be contained or, using other deceptive techniques, sent off on a wild goose chase where they can do no harm, but their actions can be tracked and analysed. In the meantime, the company can isolate the targeted areas and learn more about what kind of data the attackers were after, the malicious tools they used and the weaknesses they have exposed. This kind of intelligence will help the victim to close any gaps and better understand who might want to target them, why and how.

Denis Makrushin is a security researcher at Kaspersky Lab

sponsored by
sponsored by