Deception: An Underrated Tool in the Fight Against Cyberattacks

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

Everyone is familiar with the concept of deception. In its most basic form, in terms of human interaction, it’s simply lying. Generally, it’s considered a terrible thing, but perhaps not anymore in cybersecurity, where lying might be the key to keeping assets and agencies safe.

As a tool, deception has a long history in warfare, with several huge successes like Operation Fortitude during World War II that convinced the Germans to ignore the ongoing landings in Normandy on D-Day for fear that much larger force—which consisted mostly of balloon tanks—would soon be attacking farther up the coast. In nature, deception has been in play even longer. The peacock is not an overly formidable bird, but its beautiful plumage suggests otherwise to would-be predators.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

In cybersecurity, however, it’s a relatively new concept, but one that shows a lot of promise as a defensive tool that could protect federal agencies. Over the past few months, I have been tasked with setting up and testing deception technology from some of the major companies developing those new tools, the results of which were published in a review for CSO Magazine.

Deception networks began life many years ago as standalone honeypots. Named as an homage to the object that always trapped Winnie the Pooh’s paws or head, they were standalone systems that acted as bait for attackers. I used to deploy them for the lab I worked in, and they were always attacked within 24-hours of spinning up. However, the idea of the honeypot was flawed for several reasons.

First, they generally had no interaction with the actual network, so a good attacker could easily identify them as a fake or unimportant asset. Secondly, other than delaying an attacker for a few minutes downloading fake credit card numbers, they did little to improve the overall security posture of the organization. Finally, they generally had to be maintained just like any other asset, especially because they were under constant attack.

Modern deception platforms take this concept and expand it, making the fake assets look as real as possible to an attacker, and then responding, sometimes automatically, to shore up the defenses whenever a fake asset is attacked or even touched by a hacker.

Deception platforms work because authorized users interacting with actual resources within a network leave a large trail of activity behind in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to actual assets. That's also why those old lone honeypots don’t work anymore: They leave no trail to follow.

I looked at deception platforms from four companies, and they all were a little different, but all had a few things in common. They are generally deployed as an appliance, or sometimes through the cloud, where the brains of the operation reside, as well as the user console and interface. They then sample the real network, and create identical, deceptive assets that match them in function and even naming scheme.

Essentially, the fake devices blend in with everything else when looking at a network topography. Some companies create deception computers and devices merely facades with limited functionality, while some spin up virtual machines nearly full versions of the machine types they are imitating.

And then, things get really clever. Deception platforms seed a network with indicators that make it look like all those deceptive assets are in use. With agents implanted on client machines, they can create indicators called breadcrumbs or lures to make it look like a user on that machine is interacting with the deception systems.

Should that endpoint become compromised, an attacker would have no way of telling which indicators are real, and which ones point to all the fake servers, clients, communication devices or services. Deception clients can even be configured to look like devices within specific industries, like medical scanners within health care.

The real beauty of a deception platform is that it does not touch valid users at all. Real users don’t scan directories looking for clues about which network drive, database or email client to use. They simply do their jobs however they have been told to, using whatever shortcuts and services their IT department provided. Attackers aren’t so lucky. Sneaking through a network and trying to avoid detection renders them essentially blind, so they must search for clues and indicators—which a valid user would never see—about where to go next. Because of that, valid users never even know about deception clients. Whenever anybody touches one, it’s almost a 100-percent certainty that an attack is underway.

Once an attacker has been tricked by the deceptive indicators into interacting with a fake asset, a deception platform can take several actions. It can capture forensic data from the attacker, alert a SIEM, or try keep the attackers engaged with the fake asset as long as possible. It might even immediately boot them, though that would probably unmask the deceptive asset too quickly to collect any useful threat intelligence.

I don’t know of any federal agencies using deception to trick attackers, but the technology has proven itself elsewhere. At the very end of the French election cycle, there was a massive cyberattack made against then-candidate Emmanuel Macron. But because a deception platform was in place, not only were the attackers thwarted, defenses were created to prevent them from using their tools and techniques against future elections.

Most of us were raised to believe it’s always best to tell the truth. But there is no reason why we shouldn’t lie to those who attack our networks. Rerouting attackers to fake assets where they waste their time, and where defenders can collect a lot of forensic data about their adversaries, makes a lot of sense now that the technology is up to speed. Especially as there is no impact for valid users, deploying deception becomes like that famous quote from the "Bonfire of the Vanities" novel, “If the truth won’t set you free, then lie.”