Let’s assume that a threat actor has found an unsecured entry point into our internal environment. If an attacker pressures or incentivizes an employee to act on their behalf, many security features we rely on may not help. In the past, Internet-accessible hosts, called a honeypot, would bait an attacker into targeting it. Honeypots have become an array of solutions known collectively as deception technology. The premise remains the same, to tempt the attacker into engaging with a host that will send off alerts notifying the security team that someone is unusually accessing the network.
Many of us have played red/blue team exercises as part of vendor marketing events. Cybersecurity is a never-ending seesaw where the power shifts between the attacker (red team) and the defender (blue team). However, the game of deception is more like these exercises in reverse, where we anticipate the threat actor’s attacks and attempt to uncover and track the activity.
In Ransomware Series Part 1, we discussed how ransomware campaigns work and how to stop them. In Part 2, we looked at implementing a secure access security edge (SASE) architecture to prevent ransomware. We focused on Domain Name System (DNS) as an entry point in Part 3. In Part 4, Cory Kramer discussed email security and next-generation firewalls (NGFW). In this final Part 5, we will close out the series by examining deception technology, how it has evolved, and how to tilt the odds in your favor to win the cybersecurity game.
The Evolution of Deception Technology
Several hosts were used in the early days, whether an unsecured fake database, web server, or a planted network device with public community Simple Network Management Protocol (SNMP) accessible to the Internet. In most cases, the goal was to waste an attacker’s time. These tarpits behind a firewall would fake having open ports and gradually respond to incoming connections, massively slowing the scanning process. For example, something configured to send email alerts when anyone logs into the host might look very tempting with Remote Desktop Protocol (RDP) and Telnet open.
Then we saw various changes that made deception technology reevaluate its purpose. Disposable computing power with the ability to deploy at-scale systems made tarpits less effective. The automation of vulnerability exploitation also made tarpits and honeypots less attractive, as it still took some time to detect and respond. Security information and event management (SIEM) and central alerting quickly outpaced the idea of more custom alerting schemes. Distracting the attackers so they focus on a host with no value might work for a while, but investing in solutions that reduce the dwell time and improve the mean time to respond (MTTR) provides more demonstrable value. When a magician finds your card in the deck, they know which card you will select or have a marker card ready to identify it. The rest of the deck is just noise and distraction. There is always a way to find your exact card, but knowing how to perform the trick is what exposes the deception.
Modern Deception Technology
Implementing a modern deception technology solution should be proactive and broad, result in low false positives, and elicit an orchestrated and automated response. Like honeypots, fake systems are seeded alongside legitimate systems. For example, a fake Active Directory (AD) server can be left unpatched with credentials monitored through logs from legitimate AD servers. A legitimate user would not have credential sets from the fake server. When a threat actor’s access is registered to this phony server, alerts allow for collecting threat intelligence. The source Internet Protocol (IP) addresses can be automatically added to a firewall block list which protects essential assets. We can effectively create a walled garden to limit the attacker’s choices on a corporate network. In this case, we are proactively stopping lateral movement. We also continue monitoring and finding clues about their identity or infiltration goals. At any point, we can terminate their access. The hunter has become the hunted in this reverse red team/blue team exercise.
Although there are many other options for fake systems, the above example is a use case for a broad deception technology deployment which should include endpoints, network devices, and cloud resources. The model should embrace zero trust and have proper controls in place well in advance. To prevent lateral movement, appropriate solutions in the corporate network include NGFW, endpoint microtunneling, and SASE. The goal is to have chokepoints automatically tuned once an attacker is positively identified on the network using a set of fake credentials, IP addresses, network scans, etc. All these systems should be integrated with a SIEM to correlate alerts and activities. This further enhances the ability to identify and contain a threat actor. You can execute security orchestration, automation, and response (SOAR) using collected threat intelligence from the deception technology solution.
Ransomware Lessons Learned
A common theme we’ve focused on throughout this Ransomware Series is knowing what and who is on your network. Visibility is crucial to your strategy (learn more about this in our Visibility Series). While the approaches and techniques change over time, one of the first steps is to monitor traffic and understand that traffic in context. The ability to see what is occurring and to figure out why, means being able to detect malicious actions. In the defense against ransomware and the threats that will come after it, knowing is half the battle. Reviewing the what, the who, and the why can reduce the impact of a malicious event.
With Nexum, You Win
We learn how to protect corporate assets by understanding how the threat actor operates. The experts at Nexum can identify and implement the appropriate solution for your needs, regardless of the zero trust networking and security adoption stage. Deception technology, appropriate security controls, alert logging, and correlation let you flip the game on a threat actor who has squirreled their way into your network. Nexum is here to help elevate your game so that you win.
Jump to –
- Ransomware Disruption Overview: Ransomware Series Part 1
- Prevent Ransomware with SASE: Ransomware Series Part 2
- Ransomware “Does Not Succeed” with DNS: Ransomware Series Part 3
- Evolved Email Security & NGFW Help Prevent Ransomware: Ransomware Part 4
Check Out More Resources
The Nexum team attended Black Hat 2023 and DEF CON 31 conferences in Las Vegas. Check out this post about their experiences and some guidance on the differences between the two events.