During World War II, a ghost army fooled Adolf Hitler. A travelling roadshow of inflatable tanks, cannons and aeroplanes, largely manned by actors and artists, impersonated the Allied Army near the front line. Doing this drew attention away from the US troops, spreading the German forces thin and giving the Allies a tactical advantage.
History is full of such military deceptions: from Genghis Khan’s trick formation against the Romans to King Harald Hardrada hiding inside a coffin to gain entry to an enemy castle.
In the present day, scores of cybercriminals use deception every day to steal, disrupt and damage.
According to the FBI’s internet crime division, deceptive email-based social engineering attacks are the most prominent form of cybercrime.
They have even claimed the Trojan Horse – the most famous example of military deception that probably never happened – as their own to describe malware that fools you into giving access to crooks.
But increasingly, the art of deception is being deployed against them, redressing the balance on the cyber battleground.
“Deception has worked in physical battles for many millennia for militaries,” says Tony Cole, CTO at Attivo Networks, a US cybersecurity firm offering deceptive technologies to lure cybercriminals.
“Some of the most successful battles were won through the use of deception. Sports teams use deception on a daily basis to try and win games.”
“We are doing the exact same thing. We are creating many of these alluring pieces inside of the [company’s digital] environment so that it looks interesting to an adversary.”
The evolution of honeypots
Being ex-army, Cole is particularly drawn to using strategic, deceptive ploys against cybercriminals. But for many years, nobody was playing the deceivers at their own game, he says.
That’s despite honeypots – a simple form of deception in which an organisation lures attackers with an unprotected IT asset – being around for decades.
However, early versions faced several challenges. They included a lack of automation to enable deployment at scale, functionality and overall efficacy.
But with the last decade’s rapid developments in AI, vendors now have the technological capabilities to meet the demands of the market, taking the honeypot concept to another level.
And with it, there has been an explosion – if perhaps a small one – of new deceptive technology vendors.
Before 2010, there were just a handful of cybersecurity firms offering deception products, such as Rapid7, LogRhythm and ForeScout.
Since 2011, at least a dozen deception technology vendors have launched, such as Allure Security Technology, Smokescreen Technologies and Minverva Labs.
And among them is Attivo Networks, which formed in 2015 and offers a variety of deceptive tools it says can give organisations the upper hand.
Cat and mouse
As with most deceptive technology vendors, Attivo creates a fake digital platform that layers across the production environment of an organisation’s IT network.
To the adversary, the environment looks authentic. But there is no danger to the company – it exists in its own bubble.
On this mirror platform, Attivo places the bait: false credentials, fabricated configuration files, deceptive breadcrumbs.
Just like the Allies’ ghost army, attention to detail is crucial to ensure the fiction is believed.
“What we’ve done is we’ve changed up that environment, so when they [the threat] come in they don’t know if they are accomplishing their goals,” explains Cole, who also sits on the NASA Advisory Council.
“They don’t know if they are on a real system, they don’t know if that’s a real user, they don’t know if that’s a real domain.
“That’s because we change it up so well in the environment, allowing them to be just as confused as a defender used to be in trying to actually defend the environment.”
So believable is the deception, says Cole, Attivo is able to fool red teams that are aware a deception is in place.
And if the adversary does become aware of the ruse, the environment is “respawned”, kicking them out, changing IP addresses and some of the running applications.
“Then the adversary comes back and they’re gonna get caught again.”
Taking the bait
Once the adversary has gained access to the deceptive platform and taken the bait, they attempt to use the false data to compromise the entire network. For example, the adversary might scrape memory on the system and find active directory credentials.
But these are also decoys. When the cybercriminal uses them to gain further access they are instead led to another authentic environment that is away from the production side.
The adversary thinks they have the keys to the entire castle, but the door only leads to the dungeon.
And now, they are trapped.
“If they try and take active directory credentials, the deceptive ones we’ve left in there, and they had already done some reconnaissance and went to the real active directory server […] now, suddenly the security teams is going to get an alert that somebody has tried to use deceptive credentials on the active directory server,” says Cole.
“It’s all hands on deck, that system’s compromised.”
The defenders can now monitor and collect intelligence on the threat, as well as distracting them from allocating time and resources on a real breach.
“It’s the same as someone kicking down your front door and you’ve got an alarm set up. You’re not home and the alarm goes off and they run away – no harm no foul, right? Maybe you realise you need a stronger front door and door jam, but nevertheless, your alarm has done its job.”
In one ransomware attack, the cybersecurity team slowly shrunk the pipe that the adversary was trying to exfiltrate data through. Then, when the cyber crook attempted to encrypt the data, the team kept increasing the size of PST file remotely, never allowing them to finish the encryption.
And moments like that have their perks, says Cole.
“We literally turn the deceptive environment into a playground for the defenders to mess with the adversaries coming in – and that’s what makes it fun.”
Giving home-field advantage back to the defender
Attivo works with customers ranging from Fortune 500 companies to mid-sized organisations.
“It’s a good fit for the mature and the immature security operations teams,” says Cole.
And the architecture of Attivo’s deception tools means it can integrate with existing security structures. For example, companies can send any data they gather on threats to other security solutions, such as Palo Alto, Cisco, Checkpoint and McAfee to then run a deeper analysis.
Through these partnerships, both sides are able to take advantage of intelligence and so turn the tide of the deception battle.
But the battle is never over; the landscape is forever changing.
Consequently, the deception technology market is booming. In 2016 it was worth $1.04bn, according to RnR Market Research. By several estimates, that figure is expected to double by 2021.
The continued rise of advanced persistent threats and zero-day attacks is likely to fuel this growth.
Ultimately, deception in the cyber realm is a means to stay proactive, rather than reactive. Or as Cole puts it, it’s to “give home-field advantage back to the defenders”.
Perhaps the Chinese general and military strategist Sun Tzu said it best: “All warfare is based on deception.”
Be it inflatable tanks, a Trojan horse or in cyberspace.
This article is sourced from our sister cybersecurity magazine Verdict Encrypt.