Deception 101: An effective way to understanding deception and chose an appropriate vendor


Guest Contributor: Chris Roberts

This is the essence of deception correctly implemented. It is the simple principle that if deception is done correctly it blends into the background and as an end user or as an attacker you can’t tell the difference between a real system and a deceptive device. With the example to our left we could take the viewpoint that 50% of the doors are real and allow you to enter the home, whereas the other 50% are deceptive doors and the simple act of turning the handle or putting the key in the lock (let alone standing on the trapdoor welcome mat) will set off all sorts of alarms…

Let’s take a brief step back and work out what the components of a well thought out deception technology are:

First: Will your deception technology become the next point of compromise? How secure is the very technology you are bringing into your environment? How well architected was the security of the design; integrated from inception or was it thought of just before it was delivered to you?

Second: How much equipment are you going to have to find a home for in your office or data center? Does the deception technology come with its own delivery truck or can it be shipped out via FedEx? If it’s coming by truck or shipping container then there’s got to be some serious environmental considerations.

Thirdly: Deceptions have to be as dynamic as your environment, how well do they morph, learn and adapt over time…just as you do? Is the new tech just like the old tech? Does it sit in your environment like a shining beacon in the night ignoring change OR does it morph, adapt and simply take lessons from Mother Nature’s chameleons?

Fourth: How much time are you going to have to invest in this? Is this yet another security solution where you now have to hire more staff or take your eyes off other critical systems in your enterprise OR can you take a minimal amount of time to set it up and then work with the military philosophy of “fire and forget”? Given the shortage of available resources in today’s enterprises, any solution coming in has to allow you more time back NOT scavenge whatever time you had left…

Fifth: Who’s behind the curtains? What’s the philosophy of the company driving the solution? Is it someone who’s been around the block a few times and suddenly realizes their A/V or Firewall solution’s not getting as many subscribers? Is it someone who’s casting out to bring you in and sell you all their other tools in the hope that ONE of them stands a chance of finding an attacker OR is it a dedicated organization that’s spent time, money, effort on understanding the problem and evaluated their solution against some of the best architectures, enterprises and attackers out there to gain the necessary understanding on how to best protect their clients and ultimately “you”?

Now we’ve laid the groundwork for what to consider when understanding and evaluating deceptive technologies let’s dig under the hood a little and see what and what makes them tick:

What services are being emulated?

Decoys should speak basic protocols like HTTP, SSH, and FTP that are heavily attacked. If your deception solution doesn’t do this, look elsewhere. Also if your deception can’t speak custom protocols you need to seriously consider HOW effective it will be across your enterprise…

Does it come with an alerting system OR feed into one?

Deception systems should be able to alert the security team in near real-time when something is tripped or alerted. If the implementation cannot give you these types of alerts, you won’t catch attackers when it matters. Does the system integrate with any of the other alerting tools; log aggregators or other SIEM tools out there?

How often is it updated?

Attackers are not static. A well-designed deception solution should learn its environment, modulate as necessary AND receive updates from the vendor. Check out what their development roadmap looks like.

Dealing with false positives:

If the solution generates more alerts than you can monitor, then it’s going to fail, you will never rely on it and you’ll have wasted your time and money. Make sure the solutions you are evaluating have a well-architected tunable alerting solution (that also feeds into a 3rd party collaborative alerting platform.)

Active directory and your domains:

How well does the solution integrate with an active directory environment, how many of the solutions will use the inherently valuable intelligence that is inside the active directory as a way to lure attackers to their doom through the well-deployed use of deceptive technology (while taking a leaf from the Sirens in Greek mythology…) How well does the deceptive technology actively encourage movement from the initial point of compromise into the dangerous waters that you now have thanks to a well build deceptive solution?

Are your decoys a shining beacon in the darkness?

As you evaluate the solutions you have to consider the decoy uniqueness factors. Some of the solutions on the market run simple scenarios with a handful of options and deploy en-mass simple, easy to detect facsimile copies of themselves…that fools nobody. We all know that an enterprise is complex and the machines are typically unique (despite how much we want uniformity.) The attackers know this and they won’t be fooled. How well does the solution you are evaluating deal with this?

More than just a one trick pony:

The simple fact of the matter is a decoy is only as good as what’s around it…if the decoy is sitting there camouflaged correctly it still has to have someone trip over it. The challenge is how do you get someone TO do that? The solutions you are evaluating should be able to deploy other signposts, breadcrumbs, messages, static and active tracking solutions, data on the wire, data in the registry and all the other places that the attacker is going to be looking for intelligence. That way you are certain to drive traffic to your minefield.

You are only as good as your data:

The challenge is how do fill the deceptions, decoys, lures, and breadcrumbs with realistic content? Many of the solutions have minimal customization or make you fill the myriad of deployed deceptions with your data, which is both risky (if you have not sanitized correctly) or time-consuming. The solutions you evaluate should be able to deploy your well-adjusted deceptions with customized, randomized AND relevant intelligence that leads them to both a safe/secured architecture away from the production systems and also rings all the necessary alarm bells.

From a simple response to Alice in Wonderland:

The ability to detain an attacker who’s both analyzing their attack landscape as well as providing them with the virtual Alice in Wonderland experience all from a single interaction is key and critical in any deceptive technology that you are looking to deploy. This ties into the concept that deception should not be another rack of equipment in your datacenter YET should be able to contain anything from a simple scan to a full-on invasive attack all from the core vendor supplied environment. As you evaluate your choices look for solutions that are dynamic enough to scale from a simple TCP response all the way up to mimicking your entire enterprise. Both on-premise and cloud deployment options should be available given some companies are comfortable with security in the cloud, yet others are still wary and would always like to maintain their own control…again another vendor selection criteria.

Your deception vendor and THEIR security:

As we discussed right at the start of this paper the deception technology has to be secure by design, the idea that this IS going to be the attack point. This is going to hold the attackers at bay and is going to be the front line of defense in the enterprise (given that all endpoint, firewalls and other technologies and humans can readily be compromised) this HAS to stay safe and NOT fail. You have to evaluate how security is viewed by the vendor, what is their track record, who’s doing the R&D, who’s managing the development and how well do they protect themselves? Quite simply the company selling you the product HAS to be better than you.

Hopefully, this has helped with some evaluation criteria as you look at the exploding market that has become deception technologies. Hopefully, the plain speaking, the simple way of putting the basics together and the quick evaluation criteria help to demystify the marketing and propaganda that many of the companies put out there.

This article was originally posted at Peerlyst.