Tuesday, 11 August 2020 07:59

Remote control: how an attacker’s actions are manipulated by deception

By Jim Cook Attivo Networks
Jim Cook, Attivo Networks Jim Cook, Attivo Networks

To what degree can you hope to control the actions of an attacker, says Jim Cook, ANZ Regional Director, Attivo Networks

When we hear about cybersecurity incidents, it is mostly because an attacker is in the box seat and in control. Perhaps they have breached a company and exfiltrated data, or unleashed ransomware or some other type of malware payload.

By contrast, we often do not hear about attacks that have organisations have successfully repelled.

Within information security, there have been long-running efforts and investment to ‘turn the tables’ and put the balance of power back into the hands of defenders.

It leads to the question: to what extent can defenders guide - or even attempt to control - an attacker’s movements completely?

To answer this, one must first understand how an attacker approaches a target.

The MITRE ATT&CK framework is one way of understanding attack tactics and techniques. Its matrices offer a way to determine what steps a particular attack might follow and outcomes it might commonly lead to as a result.

Increasingly, attacks such as ransomware are targeted and surgical.

Attackers are less interested in extracting a small ransom, and more in knowing exactly where your best stuff is. They’ll take their time and go ‘low and slow’ through the network. They may set a foothold, and leave and return a few times to gain more information. And they’ll only detonate when they are ready.

It is against the backdrop that Deception has evolved into an effective counter.

In the context of the MITRE ATT&CK framework, full fabric deception can derail an attacker’s efforts in up to 11 of the 12 steps of an initiated and escalated attack.

Decoy talk

At this point, it is worthwhile establishing a baseline for what we mean by deception because there are many types.

Deception is not just a fancy honeypot. Security researchers first introduced honeypots in the ’80s and served as a useful function for understanding who was attacking an organisation from outside the network.

Commercial deception technology has come a very long way and encompasses several potential lures, decoys, and breadcrumbs.

Organisations may place data deceptions such as canary files amongst real documents. These fake files act like canaries once did in coal mines, providing an early warning system for gas build-up underground. Similarly, interaction with a canary file might offer enough warning to a company to check for unauthorised data access.

Another form of deception occurs on an endpoint; that is, at the periphery of the network. Such deceptions trick attackers trying to harvest credentials to advance an attack into revealing their existence. They also serve to ‘breadcrumb’ the attacker back to a central server, which can then rais an alert.

A third type of deception occurs inside the network and aims to detect attacks that bypass other security controls. This form of deception typically uses decoys designed to attract attackers during reconnaissance and lateral movement.

A fourth type of deception addresses risks to specific applications, such as Active Directory. This method involves taking an unauthorised Active Directory query and misdirecting it into a deception environment. While attack is a bit outside of what is traditionally classified as deception, it’s still about getting an attacker to do something that you want them to do, hence its inclusion here.

Deception technologies may address one or more of these areas. Full fabric deception platforms allow organisations to engage an attacker fully, gather intelligence, and then take that information and automate the incident response actions behind it.

In control

Newer deception technologies offer organisations a greater degree of control over an attacker’s movements.

The manageability and operational burden of a modern deception platform is night and day compared to the honeypots of the ‘80s.

Honeypots required skilled workers to configure and rebuild them after an attack and to make sure attackers could not use them as a pivot point. Honeypots required significant effort to make and then keep them and attractive.

On newer platforms, machine learning profiles the environment to make the initial deception deployments less burdensome and the decoys more authentic. This capability makes it significantly less demanding for security teams to deploy and maintain the ruse. The heightened authenticity makes the decoys more believable, which allows them to blend in with the environment better, as being an obvious target can tip the attackers off that it is a decoy. The ability to dynamically deploy decoys in response to initial attacker activity on an unmonitored subnet or to make every endpoint act as a decoy to redirect attackers to the deception environment are further features that can influence attacker activity.

Deception can also now apply to on-premises as well as cloud-based environments. The architecture of deception has changed to adjust to the different attack surfaces. This development has also had a hand in making it more believable - and therefore inviting defenders to guide and control an attacker’s actions to a greater degree.

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News