A good friend of mine recently asked for advice on employing deception in an active defense strategy. The goal here is to turn the tables on your adversary by observing and influencing their actions. Since the current trend is for organizations to consider deception techniques in their broader security strategy, I want to provide some insight and direction on this important topic.
Deception is an Art (and a Science)
In deception strategy and operations, creativity is very important. You're in the business of making something that is fake appear legitimate. You are trying to deceive an enemy, and that enemy is human. They must be convinced by your deception story and infrastructure and believe that they have either reached their intended target or are on a path that allows them to achieve their goals.
Your deception operations must also be scientific with monitoring and control operations. What good is a great story, when you can’t collect information quickly or implement changes to redirect an attacker at a critical time? This is an intelligence operation and you must be ready. If you use controls to restrict an attacker, you must also ensure you have the right infrastructure to support these activities. You must execute that control in such a way that it does not tip off the adversary so that you may continue to influence their moves.
Start with a Strategy
When developing a deception strategy, you need to consider your goals for this program with an understanding of your enemies and yourself. This program is not for those that are in an immature state as it requires significant thought and preparation to be successful. It requires buy-in from senior management and many times significant resource commitments. It requires that you understand your operating environment and larger business strategy -- your business risks, high-value assets, infrastructure, controls, and operations.
Employing deception successfully requires an understanding of your adversaries. Deceiving a nation state is very different than deceiving a loosely organized social hacking group. And both are very different than a rogue insider. Their techniques, resources, speed, communication channels, access, targets, operational security (OPSEC), goals and level of persistence can all be very different and change what tactics you use to influence their actions.
You must identify the objectives of your enemies and make them feel as if they're successful in reaching their target, or at least heading in that direction. The use of CARVER (Criticality, Accessibility, Recognizability, Vulnerability, Effect, Recoverability) is very helpful here. While CARVER was developed for offensive operations to determine which targets provide the most value to an attacker, it can be used for active defense purposes to determine which assets are most likely to be targeted. This helps guide you to which types of assets in your organization may require additional protections, including deception operations.
Make sure to consider your desired outcomes and intelligence requirements. For example, detection, intelligence extraction and analysis, disruption, and disinformation targeted at specific adversaries may be requirements for this program. To deliver value, you need a strategy with a clear scope and outcomes.
Strategy Guides Your Story
What do you want your adversary to believe? This is your story. Your strategy drives the depth and aligns the people, process, and technology required to implement your story. As examples, listed below are several program possibilities and others you'll want to consider:
- Provide disinformation to confuse and slow your adversary
- Cause them to take actions beneficial to you
- Be directed to a deception environment where you can monitor their actions
- Disrupt their available avenues so that they expose additional tools and techniques
- Disclose what information they are targeting
Your story can be as simple as deploying a fake internal website vulnerable to an attack that appears to have customer data. This approach could be used to better understand techniques used to attack your internal sites and when an adversary has breached other security controls. However, your story can grow significantly in complexity based on your strategy. You might create or deploy:
- Entirely fake environments to mirror those of your production assets and normal operations
- Fake manufacturing facilities, control networks or stores
- Fake internal or third-party entities that hold seemingly sensitive information ripe for attack
- Custom honey tokens to monitor who touches these files and understand their movement in your environment
This goes on and on, but what you need to remember is this: Your story should follow your strategy and allow you to meet the goals you've defined. No more, no less.
Also, keep in mind that your story must be believable to your adversaries. In many cases, your story must be active. One common objective is to engage your enemy and keep them engaged. There are actors who conduct continuous in-depth research of their targets and you don't want your effort wasted because you overlooked the details. Stale environments without activity are often not believable. Expect certain adversaries to examine network and user traffic to see if the environment appears legitimate. Expect the logging policy (if visible) to be accessed to determine if specific files or accounts are monitored. Expect the adversary to notice if there are significant differences between production and deception infrastructure. These program details are incredibly important and, as such, insufficient details can lead to wasted effort.
A final note here: This program is not to show the attacker how cool you are. If you are successful, the attacker will never know they were caught in your deception operation.
It's More Than Technology
The people and process can be easily overlooked and result in overall failure of the program, as is so common in security. While deception technologies can provide value, they often are not the complete solution and could be more useful as tools in a toolbox for specific deception operations. For example, you may have a need to deploy large encrypted honey tokens with custom file names and content on a file server mixed with legitimate files. Then you might need to regularly update these files to show activity. This is part of the story and this is where people and process are incredibly important.
There are several components that are important to the success of the program:
- Creativity and detail in design and implementation
- A background in formal intelligence and deception operations (helpful, but not required)
- Expertise in telemetry, intelligence analysis, and monitoring
- System, network and user behavior experience
- Processes for continued story development, intelligence collection and analysis, control implementation, OPSEC (discussed below), and integration within the business
Operational security cannot be overlooked with this program. If you are defending against sophisticated organized crime or nation state actors, you may even go so far as keeping deception designs and process out of your standard corporate email and storage systems. This is especially true in an active breach response situation. If you are interacting with IRC or similar channels or if you must interact with attacker infrastructure, you will also want to anonymize yourself. Security of systems and networks used for managing deception stories and infrastructure is critical.
I would be doing you a disservice by not telling you that this program can be difficult to develop and manage. You need to understand how far you're willing to go. You need to periodically make sure you feel this program is providing value and adjust when it is not. The truth is, as an industry we face a significant shortage of talent already (a problem we’re solving at Respond Software). Convincing decision-makers within organizations to dedicate resources for a deception operation could be challenging. Showing return on investment might be difficult as well. However, if your company has been breached, contains sensitive data or secrets, has been targeted, or provides critical infrastructure, this is likely an easier sell.
We've successfully deployed this type of program in organizations and this has resulted in significant value realized from intelligence analysis and successful disruption of sophisticated adversaries. My advice is to pay careful attention to the details and allow your defensive strategy to guide your stories and your investments in people, process, and technology for this program.
By Mitchell Webb, Director Technical Account Management, Respond Software
Stay up to date with our latest posts by subscribing to our RSS feed.