Illusive Blog

Deception Increasingly Seen By Analysts as Indispensable

By Jason Silberman

Cybersecurity continues to rise to the top of the list of concerns for organizations of all sizes, and in particular large enterprises such as banking and financial services companies, healthcare providers, and technology firms. Recently, a senior security leader at a national bank and a customer of Illusive told us that after surviving the 2008 financial crisis, he is confident the bank can withstand another financial crisis, but worries that the risk of a major cyberattack poses an existential threat.

READ – How Illusive helps protect Banking and Financial Services

In the past several weeks, we’ve seen increasing praise and often direct recommendations of deception for in-network defense by several independent security analysts, regulatory bodies, government agencies and observers. We wrote in November about many of these positive reports in 2019, including by leading analyst firm Gartner. Even more support has rolled out early in 2020.

Increasingly, organizations are looking beyond perimeter security and analytical ‘big data’ cyber defenses. The rapid increase in Sideways Attacks — a particularly dangerous hacking method used by malicious insiders and nation-state attackers – is overwhelming these more traditional cyber security approaches. In a sideways attack, the hacker bypasses traditional firewall defenses, lurks in the shadows for weeks or months undetected by AI analytics tools, unleashes their attack at a specific time to inflict maximum damage, and then disappears leaving no trace.

Deception technology—whose objective is to paralyze attackers already within a network—notifies the security team of the attacker’s specific location and actions, and speeds triage and response efficiently and effectively. Where traditional approaches can take months to stand up, and require extensive fine-tuning and management, Deception can be rolled out in hours, provides immediate and actionable insight, and requires virtually no ongoing effort from security teams.

Let’s look at some of these new endorsements of deception:

MITRE strongly recommends deception

In January, Deborah L. Schuh of The MITRE Corporation published a report by its Center for Technology & National Security, entitled The Cyberspace Advantage: Inviting Them In! – How Cyber Deception Enables Better Resilience.

In the report, written for the Department of Defense and other federal security agencies, MITRE notes that “[c]cyber deception products and expertise are more available and affordable than ever before.”

“An often-overlooked approach to cybersecurity that can yield both short- and long-term benefits, is cyber deception. Incorporating deception into cyber defenses can be used to detect malicious actions, manage adversaries once they are inside and collect intelligence about their tactics and techniques. Strategically employing cyber deception, and sharing the cyber intelligence derived from deception, can better inform defense and resilience.”

MITRE notes several benefits for deception, including improved and accelerated incident response (IR) through high-fidelity alerts and real-time attacker observation capabilities that “create a clearer view and understanding of what is happening in the environment.“ It also specifically mentions using deception to thwart malicious insider attackers. The report also endorses the deployment of deception across the DoD enterprise, an idea we wholeheartedly agree with!

NOTE: The MITRE Corporation also is publisher of the MITRE ATT&CK™ Framework, which is based on community knowledge and analysis of known threat actors and which enumerates specific threat actor behaviors across the later stages of the Lockheed Martin Cyber Kill Chain®. Illusive helps defenders preempt, detect, and respond to attackers in four of the MITRE ATT&CK Enterprise matrix categories—ones essential to the overall lateral movement process executed in most attacks and without which it cannot be carried out, as the attackers remain paralyzed on a single machine. You can read more in our Decision Point Brief.

Deception to fight data loss via the FBI

While MITRE has endorsed deception for the defense industry, a recent report by Ars Technica explains the FBI—the principal federal law enforcement agency in the US—is already an advocate: Not so IDLE hands: FBI program offers companies data protection via deception – Sean Gallagher, Ars Technica (December 2019).

“An FBI flyer shown to Ars by a source broadly outlined a new program aimed at helping companies fight data theft “caused by an insider with illicit access (or systems administrator), or by a remote cyber actor.” The program, called IDLE (Illicit Data Loss Exploitation), does this by creating “decoy data that is used to confuse illicit… collection and end use of stolen data.” It’s a form of defensive deception—or as officials would prefer to refer to it, obfuscation—that the FBI hopes will derail all types of attackers, particularly advanced threats from outside and inside the network.”

Of particular note to those who advocate a distributed deception framework, as opposed to traditional and less effective detection by honeypots, is that the IDLE “obfuscation” approach is “like putting bogus pieces in a jigsaw puzzle. The goal is to confuse attackers about how everything fits together.”

We believe that distributed deceptive data on each endpoint across the environment could be a game-changer for the FBI and other law enforcement agencies. Deception flips cyber asymmetry and forces attackers to quickly reveal themselves to defenders, preventing them from moving laterally toward critical assets.

While we don’t know the details of the IDLE program, we would add that authenticity in deception is of crucial importance. Attackers rely on the belief that what is seen is real and the data that’s collected is reliable. If security teams are going to disrupt cyber attackers at their own game, deceptions cannot leave traces that expose them as the slightest bit fake. If inauthentic deceptions are detected, this cybersecurity tactic is rendered useless.

Leveraging existing network infrastructure for early detection

Meanwhile, Steve King, Director of Cybersecurity Advisory Services at Information Security Media Group recently wrote How Deception Technologies Enable Proactive Cyber Defense.

“The objective of moving toward a proactive defense strategy is to assume an attack will occur and instead of focusing on prevention and response. The application of deception technologies allows organizations to leverage the existing network infrastructure to detect intruders early, thus reducing the attack surface and enabling the collection of adversarial threat intelligence along the way…Deception technologies enable the sort of proactive defense strategy that the industry can easily adopt to help to reduce data breaches.”

We couldn’t agree more with Steve. Proactively detecting an attack at its earliest stages through deception provides more useful threat intelligence and mitigation than the data more reactive solutions tend to collect when an attack is attempting to collect its payload.

Risk of cyberattacks on banks

Finally, a Federal Reserve Bank of New York Staff Report, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis was published in recent weeks, and while it isn’t focused on deception directly, it does explain a key challenge deception is able to address – reducing attacker dwell time within a network.

“A cyber event may remain hidden for a considerable time before being detected. This increases the potential for damage while undetected and the problems of recovery, especially for integrity events. Even when detected by one bank, other banks may remain uncertain about whether they are affected as well. Again, this characteristic interacts with intent since an attacker may have an incentive to remain hidden as long as possible.”

Obviously, early detection of an attacker inside a network is critical. Deception aims to confuse the attacker, causing him to immediately interact with false data, files or applications, and therefore reducing dwell time to a minimum. Read how Illusive’s Attack Detection System can help.

To get up to speed on this burgeoning tech, set up a demo with our security experts today.