Deception technology

Last updated

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, [1] and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

Contents

Deception technology considers the point of view of human attackers and method for exploiting and navigating networks to identify and exfiltrate data. It integrates with existing technologies to provide new visibility into the internal networks, share high probability alerts and threat intelligence with the existing infrastructure.

Technology: High level view

Deception technology automates the creation of traps (decoys) and lures, which are strategically integrated among existing IT resources. These decoys provide an additional layer of protection to thwart attackers who have breached the network. Traps can be IT assets that utilize genuine licensed operating system software or emulate various devices, such as medical devices, automated teller machines (ATMs), retail point-of-sale systems, switches, routers, and more. On the other hand, lures typically consist of real information technology resources, such as files of different types, that are placed on actual IT assets. Due to advancement in the area of cybersecurity, deception technology programs are increasingly proactive in approach and produce fewer false-positive alerts. The goal is to accurately discover the intention of the attacker and their tactics, technique and procedure. These information will enable effective response from the deception technology platforms. [2]

Upon penetrating the network, attackers seek to establish a backdoor and then use this to identify and exfiltrate data and intellectual property. They begin moving laterally through the internal VLANs and almost immediately will "encounter" one of the traps. Interacting with one of these "decoys" will trigger an alert. These alerts have very high probability and almost always coincide to an ongoing attack. The deception is designed to lure the attacker in – the attacker may consider this a worthy asset and continue by injecting malware. Deception technology generally allows for automated static and dynamic analysis of this injected malware and provides these reports through automation to the security operations personnel. Deception technology may also identify, through indicators of compromise (IOC), suspect end-points that are part of the compromise cycle. Automation also allows for an automated memory analysis of the suspect endpoints, and then automatically isolating the suspect endpoints.

Specialized applications

Internet of things (IoT) devices are not usually scanned by legacy defense in depth and remain prime targets for attackers within the network. Deception technology can identify attackers moving laterally into the network within these devices.

Integrated turnkey devices that utilize embedded operating systems but do not allow these operating systems to be scanned or closely protected by embedded end-point or intrusion detection software are also well protected by a deception technology deployment in the same network. Examples include process control systems (SCADA) used in many manufacturing applications on a global basis. Deception technology has been associated with the discovery of Zombie Zero, [3] an attack vector. Deception technology identified this attacker utilizing malware embedded in barcode readers which were manufactured overseas.

Medical devices are particular vulnerable to cyber-attacks within the healthcare networks. As FDA-certified devices, they are in closed systems and not accessible to standard cyber defense software. Deception technology can surround and protect these devices and identify attackers using backdoor placement and data exfiltration. Recent documented cyber attacks on medical devices include x-ray machines, CT scanners, MRI scanners, blood gas analyzers, PACS systems and many more. Networks utilizing these devices can be protected by deception technology. This attack vector, called medical device hijack or medjack, is estimated to have penetrated many hospitals worldwide. [4]

Specialized deception technology products are now capable of addressing the rise in ransomware by deceiving ransomware into engaging in an attack on a decoy resource, while isolating the infection points and alerting the cyber defense software team. [5]

History

Honeypots were perhaps the first very simple form of deception. A honeypot appeared simply as an unprotected information technology resource and presented itself in an attractive way to a prospective attacker already within the network. However, most early honeypots exhibit challenges with functionality, integrity and overall efficacy in meeting these goals. A key difficulty was lack of automation that enabled broad scale deployment; a deployment strategy that aimed to cover an enterprise where up to tens of thousands of VLANS needed to be protected would not be economically efficient using manual processes and manual configuration.

The gap between legacy honeypots and modern deception technology has diminished over time and will continue to do so. Modern honeypots constitute the low end of the deception technology space today.

Differentiation from competitive/cooperative technologies

Traditional cyber defense technologies such as firewalls and endpoint security seek primarily to defend a perimeter, but they cannot do so with 100% certainty. Heuristics may find an attacker within the network, but often generate so many alerts that critical alerts are missed. In a large enterprise, the alert volume may reach millions of alerts per day. Security operations personnel cannot process most of the activity easily, yet it only takes one successful penetration to compromise an entire network. This means cyber-attackers can penetrate these networks and move unimpeded for months, stealing data and intellectual property.

Deception technology produces alerts that are the end product of a binary process. Probability is essentially reduced to two values: 0% and 100%. Any party that seeks to identify, ping, enter, view any trap or utilizes a lure is immediately identified as malicious by this behavior because anyone touching these traps or lures should not be doing so. This certainty is an advantage over the many extraneous alerts generated by heuristics and probability-based.

Best practice shows that deception technology is not a stand-alone strategy. Deception technology is an additional compatible layer to the existing defense-in-depth cyber defense. Partner integrations make it most useful. The goal is to add protection for the most advanced and sophisticated human attackers that will successfully penetrate the perimeter.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Honeypot (computing)</span> Computer security mechanism

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

Lastline, Inc. is an American cyber security company and breach detection platform provider based in Redwood City, California. The company offers network-based security breach detection and other security services that combat malware used by advanced persistent threat (APT) groups for businesses, government organizations and other security service providers. Lastline has offices in North America, Europe, and Asia.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

<span class="mw-page-title-main">Illusive Networks</span>

Illusive Networks is a cybersecurity firm headquartered in Tel Aviv, Israel and New York. The company produces technology that stops cyber attackers from moving laterally inside networks by finding and eliminating errant credentials and connections, planting deceptive information about given network's resources, emulating devices, and deploying high interactivity decoys. Network administrators are alerted when cyber attackers use security deceptions in an attempt to exploit the network. Illusive Networks is the first company launched by the Tel Aviv-based incubator, Team8. In June 2015, Illusive Networks received $5 million in Series A funding from Team8. To date, it has raised over $54M.

Active defense can refer to a defensive strategy in the military or cybersecurity arena.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">LogicLocker</span> Ransomware worm targeting industrial control systems

LogicLocker, is a cross-vendor ransomware worm that targets Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS). First described in a research paper released by the Georgia Institute of Technology, the malware is capable of hijacking multiple PLCs from various popular vendors. The researchers, using a water treatment plant model, were able to demonstrate the ability to display false readings, shut valves and modify Chlorine release to poisonous levels using a Schneider Modicon M241, Schneider Modicon M221 and an Allen Bradley MicroLogix 1400 PLC. The ransomware is designed to bypass weak authentication mechanisms found in various PLCs and lock out legitimate users while planting a logicbomb into the PLC. As of 14 February 2017, it is noted that there are over 1,400 of the same PLCs used in the proof-of-concept attack that were accessible from the internet as found using Shodan.

Browser isolation is a cybersecurity model which aims to physically isolate an internet user's browsing activity away from their local networks and infrastructure. Browser isolation technologies approach this model in different ways, but they all seek to achieve the same goal, effective isolation of the web browser and a user's browsing activity as a method of securing web browsers from browser-based security exploits, as well as web-borne threats such as ransomware and other malware. When a browser isolation technology is delivered to its customers as a cloud hosted service, this is known as remote browser isolation (RBI), a model which enables organizations to deploy a browser isolation solution to their users without managing the associated server infrastructure. There are also client side approaches to browser isolation, based on client-side hypervisors, which do not depend on servers in order to isolate their users browsing activity and the associated risks, instead the activity is virtually isolated on the local host machine. Client-side solutions break the security through physical isolation model, but they do allow the user to avoid the server overhead costs associated with remote browser isolation solutions.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Nyotron is an information-security company. It was established in 2009 by brothers Nir and Ofer Gaist. Nir Gaist is the CTO, and Sagit Manor became the CEO in 2017. The company is based in Santa Clara, CA, with an R&D office in Herzliya, Israel.

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

References

  1. Lawrence Pingree quotes in article: Maria Korolov (August 29, 2016). "Deception technology grows and evolves". CSO Online. Archived from the original on June 30, 2018. Retrieved August 13, 2023.
  2. "What is Deception Technology? Importance & Benefits| Zscaler". www.zscaler.com. Retrieved 2024-03-15.
  3. Marko, Kurt. "How a Scanner Infected Corporate Systems and Stole Data: Beware Trojan Peripherals". Forbes . Archived from the original on 2022-09-24. Retrieved 2023-08-13.
  4. "The Dangerous State of Medical Cybersecurity". 13 July 2016. Archived from the original on 3 November 2016. Retrieved 2 November 2016.
  5. "TrapX launches ransomware deception tool, CryptoTrap". 25 August 2016. Archived from the original on 31 October 2016. Retrieved 2 November 2016.

Further reading