The art of deception networks: New technique snares cyberattackers
Cutting-edge security pros are tapping into a new method of attracting and then miring would-be cyberattackers amid ongoing efforts to safeguard health information: deception networks.
A deception network appears real and behaves normally, except it toys with intruders, making them aware that one wrong move will get them immediately expelled, thus simultaneously slowing cybercriminals nefarious activity and making them easier to catch.
The technique essentially involves little bits of code placed at strategic points throughout a network.
“A deception network is numerous sets of lures or traps strategically placed throughout real networks and endpoints,” said Alton Kizziah, vice president of global managed services at Kudelski Security. “It is designed to attract, delay and detect an attacker’s movement through the targeted organization as they try to find the way to their objective.”
In a hospital, a typical and topical threat is ransomware as the risk vs. reward scenario highly favors the attacker. When setting up a deception network for healthcare, an organization should pay special attention to the lures that can detect ransomware activity and configure managed deceptions accordingly, Kizziah said.
“Deception solutions provide a fresh, proactive approach to cybersecurity and start with the assumption that attackers already are in the network,” said Ofer Israeli, CEO and founder of Illusive Networks, a vendor of deception network technology and services. “If an advanced attacker makes it past the basic perimeter controls, deception technology provides the next level of defense, safeguarding the crown jewels of healthcare organizations as well as their most sensitive data and zones.”
In addition to protecting sensitive assets, deception-based cybersecurity bolsters the monitoring of networks to ensure the earliest detection and mitigation of cyberattacks, minimizing impact to business operations, Israeli added. Some attacks, known as advanced persistent threats, can be underway for many months prior to being discovered.
“These types of attacks won’t hit you every day, but when they do, they can cost tens of millions of dollars, not to mention the reputational damage,” Israeli said.
There are two factors that must be understood to know how an attacker gets snared in a deception, Kizziah explained.
“First, we need to understand how real-world attacks happen, typically starting with reconnaissance followed by phishing,” he explained. “This allows the intruder access to a user’s machine. Once that initial foothold is complete, the next step is to move laterally through the environment to deepen the access. In hospitals, for example, that access is used to spread ransomware or other malicious code throughout the environment, encrypting as many machines as possible.”
To understand deception, there’s a tough pill to swallow: accepting that your organization has already been breached.
“Second, look at this through the lens of an attacker,” Kizziah said. “They do not know everything about their targets’ inner workings until they gain the initial foothold and a lay of the land. This is where deception technology brings a lot of its capability to bear. With deceptive lures set on a real and operational machine, and as the intruder begins to feel their way around the patient end-point and the networks to which it is connected, the deceptive bait is taken and the adversary caught.”
In the aforementioned healthcare scenario, the attack is automated and the ransomware begins to map the network looking for hosts and data to encrypt. When the automation hits a deceptive share, or tries to encrypt a deceptive file, any further action can be halted.
Deception is easy to deploy and in many cases does not require another agent to be installed on an end user’s system, Kizziah said.
“There is minimal upkeep and they lay dormant on end-points not consuming any precious resources,” he explained. “However, when I think of deception’s greatest benefit, I have to think of how difficult it has been for security professionals to detect attackers when wading through a sea of security alerts. With each new advanced security technology, we get another source of alerts to consume.”
Security information and event management technology helps, but it doesn’t solve the problem, which is that organizations always are behind attackers, never in front, Kizziah said.
“If we can accept that even with the best of threat prevention and detection, we will be breached, then adding deceptions can flip the paradigm,” he said. “Once a deception alert has been triggered, an organization immediately goes into response mode because the false positive rate is so low.”