7 Deadly Sins – How To Fail At Implementing Deception Technology
Deception technology or ‘distributed deception platforms’ are a hot topic today, with most CISOs road-mapping the technology into their evaluations and budgets. The promises sound great:
- Full kill-chain coverage with low false positives
- Deep visibility across endpoints and VLANs
- Lateral movement / privilege escalation detection of humans and malware
Unfortunately, due to the unique secretive nature of deception (you may not want people to know about it, after all), there’s precious little information on how a security team can make distributed deception implementations useful and successful.
If you’re being pushed to power-up a sleek appliance and kiss your cybersecurity woes goodbye, don’t believe the marketing hype — that’s not going to happen.
After planning, implementing, and managing deception technology campaigns for the better part of a decade, we’ve compiled a list of the 7 deadly sins that will guarantee that your deception investment will disappoint you. Here we go:
1. You’re Not Sure What You’re Protecting
It’s pretty obvious that for deception to be successful, you need an objective and a strategy. At a minimum, make sure you know what assets you’re trying to protect (they’re not all equal to the hacker). The best deception campaigns are tightly goal-oriented (e.g.: “Catch targeted attacks against my SWIFT servers, especially focused on breaches from third-party networks.”).
The Fix: Make a list of your top 3 nightmare scenarios, and identify the assets (endpoints / servers / people / credentials / network zones) that are a part of those nightmares.
2. You Don’t Know Your Enemy
There’s a reason some of the best deception specialists moonlight as threat hunters or red-teamers. Deception is an ‘active defence‘ capability — where deep knowledge of the attacker’s modus operandi is crucial. Knowing the critical paths an attacker will follow will massively boost the effectiveness of your deception capabilities.
The Fix: Have your in-house / external red-team build attack trees to the assets you’ve identified at risk. Train your blue-team on how to think adversarially.
3. You’re Not Prepared for Deception Alerts
One of the best things about deception technology is that the alerts are low false positive and real-time. That’s great, but when the metaphorical (or literal) phone rings, do you have a plan for how to respond? The attacker is very likely still ‘live and squirming’ on your infrastructure. This leads to interesting new opportunities and questions:
- Should you watch what they’re doing and learn more, or do you want to immediately contain?
- How are you handling forensics? Live or dead?
- Can you use the IOCs immediately to dimension the scope of the breach?
- Is there an opportunity for useful attacker attribution with more targeted deception?
The Fix: Have a specific set of incident response play-books for responding to deception alerts. War-game the scenarios end-to-end, ideally without your DFIR / blue-team being aware. Start basic and build a roadmap to advanced deception use cases.
4. You Haven’t Tested Your Deception Strategy
Confident and experienced deception specialists will encourage (even insist) that you test the deception realism in your environment after you implement it. Not only does this validate that the deception is ‘working’ to meet your business objectives, but it will give you useful metrics like time-to-decieve, deception engagement time, coverage, and kill-chain hit ratios.
The Fix: Blind test the strategy underlying your deployment. See how ‘real’ your simulated adversary believes the decoys are. Did you miss something? This is worth doing regularly.
5. Your Deception is Not Customised
The best way to increase deception engagement time is to customise the decoys to your environment. There are a number of nifty tricks here (our MirageMaker feature does a lot of this for you), but never underestimate the power of human ingenuity.
The Fix: Find the most devious folks in your infosec team and brainstorm how you can decieve, degrade, deny, disrupt, and dazzle an attacker even better. You want your deception to maximise the economic burden to the attacker in terms of time, effort, and cognitive load.
6. You Don’t Know the ‘Deception Trifecta’
Well planned deception systems unify three perspectives to quickly arrive at the root cause of an incident:
- What is happening? (decoy telemetry)
- How is it happening? (endpoint forensics)
- Where else is it happening? (estate integrations / correlation)
We call this the ‘deception trifecta’, and your entire strategy must be built around it.
The Fix: Study the deception trifecta and determine how weak or strong you are on each side. Improve visibility, collection, and analysis speed for each perspective. Ensure supporting systems can flesh out context when deception systems alert you (e.g. do you have an updated asset inventory?)
7. Your Deception Provider Doesn’t ‘Get’ Strategy
Remember IDS? DLP? NAC? cough SIEM cough?
The success of cybersecurity technologies is pretty binary: Either they’re well implemented by people who knew how to do it right, or far more often, they’re a mess of false promises and mismatched expectations. If you’re just being sold a box, AMC, and product training, there’s a lot missing. Sure, you might make it work, but the onus should be on the vendor to ensure you operationalise deception capabilities and see success for stuff that matters to you (we do this for every customer, big or small).
The Fix: Talk to your provider to understand the depth of their knowledge on deception deployments, adversarial thinking, and most importantly, how they’ll make it all work for you. Get into specifics. Speak to their people. Hint: if their title says ‘Sales’… well… caveat emptor 🙂
In Summary – How To Get It Right
- Identify what will hurt you, and where those assets reside
- Know how your enemy will likely traverse your environment
- Create a tactical plan for handling deception alerts
- Blind test your deception strategy regularly
- Customise your deception environment ‘by hand’
- Know the ‘Deception Trifecta’ and improve how you use it
- Choose a provider who will build a capability, not sell a box
Deception is more than just a new way to detect lateral movement, privilege escalation, ransomware, data-theft or solve any other current cybersecurity woes. It’s a fundamentally different way of thinking about how you defend your organisation, irrespective of shiny boxes (ours or anybody else’s)!
Avoid the mistakes above, and your security team will really see the benefits behind the hype. We have customers that now use deception as their ‘concertmaster‘ — the single most important pillar in their security stack, with everything else supporting it.