This presentation will explore adding deception as a component of a security-in-depth strategy to increase cyber resilience (in case the garlic, crosses, and wooden stakes are not effective). We will discuss whether you should invite attackers into your network. Much like with vampires, inviting attackers in can have serious repercussions. However, unlike vampires, cyber attackers do not need an invitation. Fortunately, deception within our networks can aid in identifying, delaying, and evicting unwanted guests, including insider threats (or vampires already amongst us). We will explore several deception use cases that can dramatically increase cyber resilience without attracting more attackers.
So, yeah, so I, my name is Donny went, I am a principal security researcher with MasterCard where I've been working since 2004. I'm also an adjunct professor at Yuka university, and I'm really honored to speak at this conference. Again. I spoke here last year, but with that, we'll go ahead and get started. So I like to talk when I talk about deception, I like to point out that the, the key of deception is not deceiving the enemy. What, what you're really trying to do is make the enemy deceive himself. And history's full of a lot of examples of deception used, especially in warfare and those most effective deceptions. And I'll talk about a couple of 'em briefly here that they typically, the way, the reason they succeeded was they presented the enemy was something he expected to see and something he really wanted to believe in the us where I'm at.
We have a saying that George Washington could never tell a lie. In actuality, he was, he was a true master at telling lives early in the revolutionary war in 1775 Washington's forces were so terribly short of gun powder. The only had like enough for eight or nine shots per man. So to hide that fact from the British Washington ordered a bunch of fake gum powder cast, be filled with sand and shipped to depots where they would be seen by the British spies. As a matter of fact, throughout the war, Washington would create inflated reports of troop strengths. He often pinned fake documents that were specifically designed to fall into the hands of traders and SPS, always trying to mislead the British, the allied forces used many deceptions to hide their assault on Normandy during world war II. This was probably one of the most well known uses of deception in the 20th century, perhaps the most famous of which was their creation of a fake invasion force, right?
It's made up of these inflatable tanks and cardboard aircraft positioned in Britain. And that fictional first United States army group was placed under general patents command. One of the leading generals. In addition to that fake tanks and planes, this ghost unit also created fake radio traffic to, to emulate of real army group the placement of those fake forces in that radio traffic reinforced Germany's belief at the time that the allied invasion would occur at pasta instead of Normandy. And then the final one I wanted to talk about was this example from the us war and Vietnam, the, the us had gathered from radio traffic that the north Vietnamese army or NBA was looking for this significant us outpost that they could attack and overwhelm because they needed a propaganda victory. So the us decided to build one that they built, one that would attract the MBA. What we would now call a honey pot, right? The us built the base Northwest of Saigon quickly built this base near the Cambodian border. And the lure worked great hidden in the forest around the makeshift base for many motion detectors and artillery. And after shelling that base for two, three days, the NBA decided to attack the attack, failed, costing the NBA, many men. So we can see how each of these uses of deception, what they were doing was taking advantage of the opponents biases, what the opponent wanted to see.
Now, when we talk about the cyber realm, this is where deception can truly thrive because cyberspace is made the creation of those fake realities, right? The imaginary assets, the false personas, all that is quite simple. We can build up and tear down cyber terrain at ease in cyberspace. We use deception for many purposes. Some of them are, some of the uses have become so ubiquitous. We often do not even think of them as deception, even though they are, in some cases, these deceptive activities, they'll, they'll mimic longstanding deceptive activities in the physical world. It's just much easier and quicker to do so. And yeah, sure for deception is used by attackers and defenders and, and I'll, I'll get to that real quickly, but it's also used for such things as ensuring privacy, right? Criminal investigations and criminal activity, both use cyber deception as does Intel encounter Intel operations research.
And quite often ordinary people will use it cuz they wanna boost their social media profile or they wanna provide fake contact contact info on the websites. Another growing area of deception is actually in entertainment, virtual reality. That is about deceiving the user. When we talk about threat actors though, understand deception has been a powerful weapon in their arsenals for years, cyber threat actors use deception to take the initiative and gain first mover advantage quite often, for example, threat actors use deceptive emails, right for their phishing attacks. Now leveraging things like natural language processing in AI to create more, more convincing emails. They also spoof legitimate domains or they impersonate trusted contacts. These threat actors use these deceptive practices to bypass our defenses, UN establish a foothold from which to operate. So to counter the threat actor defenders can create a deceptive environment populated with fake assets. Attacker expects to see causing the attacker to deceive himself, creating this what we call a hall of mirrors with fake assets and misdirections can forcing the attacker to waste his time and resources while alerting our defenders of his presence.
So building systems that are highly resilient to cyber threat means we have to employ techniques and technologies that our adversaries can do not anticipate, cannot navigate and cannot successfully attack one such technique of course, to increase this resiliency is cyber deception. It is a proactive defensive strategy that attempts to avoid some of the traditional weight and watch game. So what are we really talking about when we refer to the practical application of deception for cyber defense, I'd like to start by looking at some of the components of a typical deception platform. First, we have our lures, which are also sometimes referred to as breadcrumbs. These lures will consist of data placed on legitimate assets. Quite often, they're designed to entice and lead the attacker to a decoy in a way from legitimate assets, the idea of the lures to attract attackers and then hopefully lead them to a decoy system or, or environment typically to collect intelligence or possibly to engage with that attacker.
One important thing is that lures can be within or outside of the defender's network and they can direct attacker to decoys that are either within or outside the network. So these can cross those boundaries, a decoy that that is a physical virtual or emulated system that's configured to perform like a similar system found in the environment. These decoys can act as honey pots designed to be compromised or they can trigger alerts based on any interaction at all. Instead of deploying physical or virtual decoys, some of the deception platforms use in appliance to create emulated decoys on the network. These decoys may, they may imitate servers, work stations, network devices, IOT devices, they, they, they can emulate like industrial control systems and, and supervisory control data acquisition or SCADA systems. So really anything we could see on our network, we could create decoys to emulate that as shown in this diagram.
In addition to individual decoys, we can take an entire de create an entire decoy network that emulates a real not. And then finally, a token is data that we've placed on legitimate assets. These can be files containing fake sensitive data, fake accounts and active directory, fake credentials, fake records and databases, et cetera. Let your mind wander anything there. These tokens can be monitor monitored. Then with traditional monitoring tools, for example, file integrity monitoring could monitor honey token files for any access. Any interaction with the token then indicates the presence of a possible attacker or insider threat because the normal course of business, no user or traffic should access it. Now with the deception platform, there's typically also a central management console, which is used to develop, deploy and manage these decoys, lures and tokens. And of course underlying all this a robust monitoring system must be in place to alert on the interactions with the fake assets.
Now the state-of-the-art deception platforms enable rapid creation of deception environments within your existing infrastructure and connected to existing cyber defense mechanisms. We'll say if, if you are investigating the implementation of a deception platform, there are some important characteristics you should look for first, make sure it provides resilient concealment of the identity of your critical assets. Two, make sure it can increase the detectability of an attack and the way it does that is by significantly increasing the potential for mistakes by the attacker third, it should act as a deterrent by increasing the attacker's efforts to achieve his goals, making him go somewhere else, cuz it's too difficult here. Four, it should provide automated configuration that is largely transparent to the users and then five, it, it has to be scalable to many services and hosts, especially all those that are within your production networks. So if you have T devices and ICS devices and that make sure it can emulate those as well.
Well now you might be wondering, well what about the vampires? I promised some vampires here. Well, I do have say before we go any further, I, I am a big fan of vampire literature and have been for years. So you there'll be a few analogies here. So please pardon those. As we go through what I have found that when I start discussing deception for cybersecurity, especially with other cybersecurity professionals, people seem to just jump right to this idea of these honey pots and honey nets in which the, in which implementations, you know, people envisioned that were enticing the attacker in perhaps to external lures or making the honey net externally visible. I've had vendors try to present products to me in which they would do just that they would have external LUS that would bring the attacker into my network. Such deceptive practices in my mind are design are, are, are, are, you know, they're designed to lure those attackers in and keep them in to slow the attack and observe their behavior possibly even engaging the attacker.
The, the idea is that offender could then gain knowledge of the attackers tactics, techniques, and procedures and collect original intelligence by engaging that attacker early and maintaining deception that allows the defender to collect and record, you know, very good detail about the attacker's attempts. The purpose of course, of such an approach could be to collect intelligence, to improve our defenses or to pursue the attacker such as in a law enforcement situation. However, I would say inviting the attackers into your network that can have very serious repercussions, much like inviting vampires into your homes, right? Furthermore, engaging them or watching them move about can be quite risky. In most cases, I recommend that companies leave this type of engagement, this type of use of deception to professional external security vendors and researchers, or if, if in the case of vampires, you know, let Buffy handle them. That's Buffy the vampire Slayer on there. Or you could, if you prefer you could contact bond Helsing, Abraham Lincoln or needle blank, all of whom are very renowned, vampire slayers, but often the best approach, you know, when you encounter that vampire is to drive that wooden stake through this heart as soon as possible. Similarly, in most situations for most organizations, once a suspected attackers identified, they want to evict and block that attacker quickly and effectively.
So of course, unfortunately, you know, unlike vampires, the attackers that target our a, our organizations, they enter without an invitation. So we have to have some way to deal with them. And that's where deception can really help because deception can be used to identify that attacker within your environment, deception tactics are not limited to those, you know, external facing honey pots and honey nets. You do not actually have to invite that vampire into your home or that attacker into your network. In fact, you probably should not, unless you are quite sure of your abilities at wielding the wooden stake. So when your perimeter defenses such as firewalls, intrusion detection systems, garlic crosses, and what have you, when they do not work, you can leverage deception to, to kind of shine that light on the attackers to detect those attackers. The use of deception within your environment can act as an early warning system of possible intrusions, much like using mirrors to detect vampires, right?
Then once you are alerted to their presence, you can banish 'em by shining sunlight on them. So when we look at what are we actually talking about then when we talk about practical deception, right? So defenders can create a wide range of decoys and tokens, including servers, network devices, files, database entries, passwords, which only a malicious attackers should access. Right? And then some of the practical use cases for deceptions include things like alerting, which is the proverbial, you know, Canary in a coal mine where fake assets or tokens are distributed throughout the environment. And any interaction with those assets trigger an alert, immediate response. You can also deploy decoys that resemble common reconnaissance targets. You know, those things that the attackers are looking for, then alert on any interaction with those assets. Another good use case is strategically deploying lures that direct the attackers to decoys of various systems that can aid in detecting attempts at lateral movement or attempts to exploit systems interaction with these could trigger alerting or observation, right?
To discover tactics or targets to see where they're actually trying to get to. You can also place tokens that resemble sensitive data such as intellectual property, cardholder data and personal information in strategic locations. This can be files, entries, and databases, or really any fake assets. Any interaction with those assets could signify an attack. So immediate alerting in response are necessary. You can also use deception as an active defense, which is part of what I looked at in my doctoral research, where we actually use them use deception to slow the attacker typically involving deploying lures and decoys to confuse and misdirect that attacker make him expand his resources. Many of these now, many of these same use cases. Now we've talked about above. The good thing about 'em is they can also assist with identifying insider threats or policy violations, whether intentional or not an insider triggering any of the alerts could signal, you know, it could signal an insider threat, or it could be an attacker using compromised credentials, of course, an effective and robust monitoring and alerting system is a prerequisite of using deception for any of those use cases, defensive systems have to monitor those decoys and tokens and alert on interactions.
Several of these methods are actually quite simple to implement and require no new technology. Of course there's like with any approach in cybersecurity, there are challenges, right? So false alarms or false positives may occur from employees interacting, but that could also be a trigger of insider threat as well. So kind of a trade off there. The biggest challenge probably is in creating and maintaining those decoys in tokens. And that's where, because they have to continue to look convincing to be effective. And that's where deception platform could assist. Right? Because especially when you start talking about upgrades to operating systems, change some of those key files, you have to change some of those assets as well, the fake assets to continue to look realistic.
So how do we make sure we're successful the successful implementation and operations deception program? Like most other programs starts with a clear strategy that strategy's gonna have to define the goals and objectives of that deception program. One approach to defining strategy. The strategy is to first define and prioritize the critical exposed assets that need to be protected. Then for these critical assets, define the goal for using the deception, maybe creating a bunch of fake assets surrounding that, that critical asset to try to deflect activity, then clear objectives and goals are going to assist us in prioritizing those many use cases that we talked about. Some of give you example, some high level objectives, what, what they could include. It could be alert on reconnaissance efforts and probable attacks with minimal false positives. So the attackers can be bought and evicted. It could be too slow or deter the attacker with fake assets.
In which case deception can be used to frustrate that attacker, or it could be to discover policy violations and inadvertent insider threats to avoid accidental incidents or disclosure events, or could be to discover the attackers TTPs and gather intelligence to improve defenses. Now what, which objective you choose or which objective you you create will drastically impact how deception is implemented. For example, let's look at the concept of secrecy in regards to those objectives. I discuss. If the objective is to collect intelligence, then maintaining secrecy of that deception throughout the engagement is paramount. That's the only way you're going to be able to do it. Similarly, if you are trying to uncover policy violations by insiders sec, secrecy has to be maintained as well. However, if the objective is deterrents, then maintaining secrecy of the deception is far less important once you detect them, get 'em out.
Similarly, if the goal is just to alert on any interaction, then maintaining secrecy after that initial interaction is a very limited use. So it will change how you'd implement it. The objectives and goals then should drive the prioritization and implementation of those use cases. An objective focused on detecting and evicting. An attacker is going to require very different use cases than one focused on collecting threat Intel. The objectives and use cases should consider how the, how the attacker should react to the deception. Right? We have to dis consider, how do we want the attacker to react when he encounters this deception in this planning stage? That's when we also consider what biases the attacker might have, that we can exploit much like we saw at the uses in warfare, right? What, what about them drives them? What can we exploit prior to prioritizing in those use cases is going to assist into finding the requirements that we'll use to evaluate possible deception platforms, right?
So when assessing the deception platforms, in addition to a functional evaluation of use cases, you also have to evaluate how the tool would integrate with your current environment and the long term operational support and maintenance, right? Including personnel and licensing costs. Also that program must define the roles and responsibilities required to implement and support deception strategy. Despite what you may hear from various vendors, it does require ongoing support and maintenance and, and people to, to, to continue to develop, deploy, and maintain those deceptive assets and to respond to generated alerts. Now, after all that, if you still have your heart set on being a vampire Slayer, you can purchase one of those hand. One of those really neat vampire Slayer kits. I found this one on the internet. There's all kinds of 'em out there. You can find some really cool ones if you want. So, you know, you can always go that route too. And I believe that was it for the, for the presentation. Yep. That's the end. Thank you very much.
How can we help you