Deception is a breach detection tactic that utilizes decoys and misinformation to divert and delay an adversary. As part of your overall cybersecurity strategy, this tactic gives the SOC / IR teams sufficient time to perform remediation before an adversary can complete their mission. Deception is not generally used to detect intrusion attempts or even breach attempts but will let you know when your perimeter protection fails. It is best used for detection of actual breaches, not breach attempts – there are other solutions for detecting breach attempts. It is a great prevention failure detection solution because it focuses detection capabilities on adversaries and malware that have already successfully bypassed your prevention capabilities.
We wanted to learn more about Enterprise Deception Solutions, so we spoke with John Bradshaw of Acalvio. Acalvio provides Advanced Threat Defense (ATD) solutions to detect, engage, and respond to malicious activity inside the perimeter.
In a recent white paper, John said, “I first heard the term “Prevention Failure Detection” from a friend of mine, Tim Crothers, Vice-President of Cyber Security for Target Corporation. PFD refocuses your detection capabilities away from trying to detect everything happening in your environment and instead focus your detection efforts on where your prevention capabilities are most likely to fail. It also focuses your alerting, visualizations and SOC displays not on everything that has been seen, but only what your PFD workflows say is important. You don’t need pie charts and bar graphs telling you how many times your AV quarantined a file or your firewall blocked an access attempt – those distract your team away from the alerts that matter. You want to establish clear hunting grounds for your SOC and Incident Response (IR) teams to focus their efforts.”
Deception objects are not known to normal end-users and are white-listed against allowed vulnerability and IT asset discovery scanning systems in the organization – so no one should ever touch a deception decoy. When someone does touch a decoy you know you’ve got an issue that needs to be dealt with.
John told us that one of the market differentiators for Acalvio was that they “only run one single instance of each decoy type – Windows server, Windows workstation, Linux, etc.” This means that their customers “pay only one OS and application license per type.”
He explained that “there are, in general, three types of decoy interaction models.”
Low interaction is basically a dumb port listener. It says “I don’t speak the language or the protocol for the application but I can listen on that service port and if you try to connect to me I know that somebody has probed me from a system on an application that shouldn’t even know I exist. So we still get that very high-fidelity early detection alert. These require no customization. You are really not holding the adversary at bay for any length of time. You are just getting a notification that the adversary is there in your environment and making that lateral move. This is great for customers that want to detect only.”
Medium interaction takes it a little bit further. “Here we are actually presenting the attacker with a web page or a login banner to an application. We are not allowing any authenticated login past that point but we can learn additional things such as what credentials they are using. That might tell us about other accounts that may be compromised. Also, because we use breadcrumb linkage, or fake data that we put on legitimate systems to divert the adversary away from their intended target to one of the decoys, if they use a credential that was part of this breadcrumb data that will indicate what other systems may have been compromised” he explained.
High interaction decoys are the full boat. “That is where we are utilizing custom content such as fake databases. We might even proxy an actual physical device through the deception service and present it as a decoy. It is designed to hold the attacker in this decoy for as long as possible so that you can focus on reconnaissance and attribution.”
“In the licensing model,” he said, “they get it all. They can deploy as much as they want from any of these three levels. Most customers start with the low-to-medium interaction with their initial deployment and then they start to look at the higher customizations in a later phase,”
It is not enough for organizations to keep pumping all types of security events into SIEMs and hoping they get correlated and prioritized appropriately for the Level I Analyst. The triage process needs to focus on prevention failure detection utilizing high-fidelity alerts combined with use case focused correlations that answer the key questions accurately and efficiently. Knowing the user session involved in the breach, processes responsible for communications, and other network communications involving a breached system are critical to rapidly isolating and remediating the compromise. Utilizing Deception-based alerts with endpoint logs, SIEM can deliver on its capability to correlate alerts that matter.
Acalvio solutions are anchored on patented innovations in Deception and Data Science. This enables a DevOps approach to ATD, enabling ease of deployment, monitoring, and management. Acalvio enriches its threat intelligence through data obtained from internal and partner ecosystems, enabling customers to benefit from defense in depth, reduce false positives, and derive actionable intelligence for remediation.
Not every organization is interested in reconnaissance or attribution. It may be that the criticality of your assets are such that your only concern is to get the adversary out of your system as soon as possible. In that case, deception tactics can, at least, provide you with a notification of a prevention failure. If, on the other hand, you want to learn as much as you can about how the adversary got past your defenses, the high interaction model will help you achieve that goal.
By: Steven Bowcut, CPP, PSP – Brilliance Security Magazine Editor-in-Chief