promote webinar 160x1200

promote webinar 160x1200

promote webinar 600x108 2

Tuesday, 11 August 2020 07:59

Remote control: how an attacker’s actions are manipulated by deception

Jim Cook, Attivo Networks Jim Cook, Attivo Networks

To what degree can you hope to control the actions of an attacker, says Jim Cook, ANZ Regional Director, Attivo Networks

When we hear about cybersecurity incidents, it is mostly because an attacker is in the box seat and in control. Perhaps they have breached a company and exfiltrated data, or unleashed ransomware or some other type of malware payload.

By contrast, we often do not hear about attacks that have organisations have successfully repelled.

Within information security, there have been long-running efforts and investment to ‘turn the tables’ and put the balance of power back into the hands of defenders.

It leads to the question: to what extent can defenders guide - or even attempt to control - an attacker’s movements completely?

hit counter

To answer this, one must first understand how an attacker approaches a target.

The MITRE ATT&CK framework is one way of understanding attack tactics and techniques. Its matrices offer a way to determine what steps a particular attack might follow and outcomes it might commonly lead to as a result.

Increasingly, attacks such as ransomware are targeted and surgical.

Attackers are less interested in extracting a small ransom, and more in knowing exactly where your best stuff is. They’ll take their time and go ‘low and slow’ through the network. They may set a foothold, and leave and return a few times to gain more information. And they’ll only detonate when they are ready.

It is against the backdrop that Deception has evolved into an effective counter.

In the context of the MITRE ATT&CK framework, full fabric deception can derail an attacker’s efforts in up to 11 of the 12 steps of an initiated and escalated attack.

Decoy talk

At this point, it is worthwhile establishing a baseline for what we mean by deception because there are many types.

Deception is not just a fancy honeypot. Security researchers first introduced honeypots in the ’80s and served as a useful function for understanding who was attacking an organisation from outside the network.

Commercial deception technology has come a very long way and encompasses several potential lures, decoys, and breadcrumbs.

Organisations may place data deceptions such as canary files amongst real documents. These fake files act like canaries once did in coal mines, providing an early warning system for gas build-up underground. Similarly, interaction with a canary file might offer enough warning to a company to check for unauthorised data access.

Another form of deception occurs on an endpoint; that is, at the periphery of the network. Such deceptions trick attackers trying to harvest credentials to advance an attack into revealing their existence. They also serve to ‘breadcrumb’ the attacker back to a central server, which can then rais an alert.

A third type of deception occurs inside the network and aims to detect attacks that bypass other security controls. This form of deception typically uses decoys designed to attract attackers during reconnaissance and lateral movement.

A fourth type of deception addresses risks to specific applications, such as Active Directory. This method involves taking an unauthorised Active Directory query and misdirecting it into a deception environment. While attack is a bit outside of what is traditionally classified as deception, it’s still about getting an attacker to do something that you want them to do, hence its inclusion here.

Deception technologies may address one or more of these areas. Full fabric deception platforms allow organisations to engage an attacker fully, gather intelligence, and then take that information and automate the incident response actions behind it.

In control

Newer deception technologies offer organisations a greater degree of control over an attacker’s movements.

The manageability and operational burden of a modern deception platform is night and day compared to the honeypots of the ‘80s.

Honeypots required skilled workers to configure and rebuild them after an attack and to make sure attackers could not use them as a pivot point. Honeypots required significant effort to make and then keep them and attractive.

On newer platforms, machine learning profiles the environment to make the initial deception deployments less burdensome and the decoys more authentic. This capability makes it significantly less demanding for security teams to deploy and maintain the ruse. The heightened authenticity makes the decoys more believable, which allows them to blend in with the environment better, as being an obvious target can tip the attackers off that it is a decoy. The ability to dynamically deploy decoys in response to initial attacker activity on an unmonitored subnet or to make every endpoint act as a decoy to redirect attackers to the deception environment are further features that can influence attacker activity.

Deception can also now apply to on-premises as well as cloud-based environments. The architecture of deception has changed to adjust to the different attack surfaces. This development has also had a hand in making it more believable - and therefore inviting defenders to guide and control an attacker’s actions to a greater degree.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Staff Writer

ITWire has a variety of guest journalists and contributors posting on a regular basis. They are used as overflow for big news days and big news weeks.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News