Cyber Deception Has Use Cases You Aren't Thinking Of

Discussion of various cyber capabilities are often driven by fairly simple applications that can be neatly packaged and shipped to overworked corporate security teams. Thus, when discussing deception benefits the capabilities touted are often “better detection” and “another threat intelligence stream”, both of which are core to cyber deception technology, but leave a good chunk of money on the table.

This blog post explores alternative value propositions.

If you’d like to read a primer on deception, we explored the basics of deception technology in an earlier blog post, which you can read here.

#1. Modifying the Visible Attack Surface to Reduce Residual Risk

Many organizations are in situations where they cannot patch, either in time or at all. What other options are there in this situation?

An organization’s attack surface comprises all points where an unauthorized user could potentially enter, exploit or extract data. A larger, more complex attack surface naturally increases vulnerability exposure. The industry is probably ready to admit that plugging all holes is not possible - which is partially baked into propositions like zero trust. You might say “segmentation”, but that is very costly and usually a longer-term project to be built. Deception can offer quick rewards here.

In contrast to popular belief, attackers do very often go for low-hanging fruit. Thus, providing them with visibility of interesting, juicy-looking targets can pull them in the direction of a decoy rather than another route. As an example, consider two vulnerabilities, one which is fairly fresh and rather difficult to exploit, and another which has been known for a while and has numerous exploits known to it - which provides the attacker with a more probable payoff?

There are two forces at play here, diversion and concealment, both of which are effective but easy-to-deploy mechanisms of risk reduction. By adding a third mechanism, recurring updates and changes to your decoy assets, you can further reduce the likelihood of successful breaches.

#2. Saving Effort in Detection Engineering

Unless you are a Fortune 250, chances are you aren’t in a luxury position to do your own daily research to create, update, and fine-tune detection rules and signatures for identifying malicious activities. Most teams often grapple with vast amounts of data, false positives, and other detection impurities, which result in obvious inefficiencies, but also burnout.

Good cyber deception elements (decoys) can here be thought of as neatly packaged bundles of detection engineering.

As decoys are not intended for legitimate use, any interaction with them is inherently suspicious, reducing signal noise. Users then receive higher fidelity data since interactions with decoys indicate potential malicious intent. The point from a detection engineering standpoint then is that instead of having to develop, test and deploy complex detection rules across all assets, you can skip directly to planting decoys across your infrastructure and have the development and test packaged into the decoy.

We would also invite the reader to think whether deception should be a part of the threat hunters toolkit. Hunters use traps to capture prey, could a similar analogy work in the cyberspace?

#3. Providing High-Fidelity, Granular Data for Automation and Artificial Intelligence Operations

Automation and AI ops rely heavily on the quality of data fed into them. Poor data quality can lead to ineffective automation, misclassification, overlooked threats, automations triggered on false premises, and so forth. Stemming from the previous situation, a big chunk of uncertainty is already removed from deception-derived alerts. Moreso:

• Interactions with decoys provide clear indicators of attacker tactics, techniques, and procedures (TTPs) - that is, if the decoys are built right.

• High-fidelity data from decoys can be used to train artificial intelligence models more effectively, improving threat detection and prediction capabilities

• Detailed alerts from decoy interactions allow for much less stress free security automation ops, as not as much analysis and validation is necessary to build.

Deception-based alerts are in a sense a finely refined data source, making them very usable at scale out-of-the-box.

#Summarizing

Per the above, cyber deception should not be thought of yet another firewall-type solution, but contains behavioural elements, risk restructuring, zero trust attributes and other nuances.

Cyber deception-sourced data also has unique qualities to it, making it readily usable in contrast to many bulk security data sources (like logs.)