Deception a Strategies for Cyber
“Although to use deception in any action is detestable, nevertheless in waging war it is praiseworthy and brings fame: He who conquers the enemy by deception is praised as much as he who conquers them by force." - Machiavelli, Discourses on Livy
It is interesting to hear from colleagues that deception technology is not in their portfolio and many of them are not sure where to fit it within their cybersecurity landscape. The themes I have been hearing have been either the technology too risky (from a legal perspective), there is no budget for it this year, or the general lack of knowledge about the maturity of deception technology.
There is a serious disconnect currently within the cybersecurity industry between tool makers, processes, leaders, and operators to effectively defend private assets. Almost everyone in the cybersecurity world has heard about the tactics of Sun-Tzu, but few outside of the military know of a modern tactician Carl von Clausewitz. To understand the value of deception, we take a page from “On War” that underlines the points that the goal of good defensive tactics, is to include deception. Deception can be used as a way to lure the enemy out of their defensive positions and into attack mode. In this mode, the singular focus on committing to an attack changes behaviors and creates a mental state where the peripherals are all but lost, thereby allowing the attacker to be deceived and thereby put in a weakened defensive state themselves.
As mentioned, the majority of cyber defensive postures within organizations has been the deployment of a classical "area defensive" strategy, with the only tactics utilized being the divert or block, which requires the enemy to engage with a siege solution and becomes a lengthy battle. Additionally, we have failed to see the benefit of funneling an attack to learn the enemy's weakness. By continually fighting in this type of art, siege warfare has been described as not being an intellectual game, meaning in that to use brute force and to use direct approaches was how this type of battle went and each subsequent activity was performed like clockwork. Von Clausewitz in Chapter II of “The Theory of War” goes into these same remarks of using brute force and refers to this activity as “automation and lacking any value or achieving victory on the modern battlefield.”
Deception has been classified as a tool, but in reality, it should be looked at as a strategy. Key components of tools that provide deception strategies can funnel, divert, and identify attackers that may have circumvented the classical defensive strategies to allow for faster decisions and mitigation actions. Strategies and tools must include bait, trap and diversion operations to lure attackers with fictitious data and configurations into traps. The traps create fake attack surfaces that should be camouflaged as network connected assets. When thinking of tools to make the strategy successful these tools should be:
- Agentless to ensure that attackers cannot determine that something is running.
- Reduces risk by not allowing traps to be used a jumping point for attacking other assets or other organizations.
- Zero hardware that can be fingerprinted and leveraged for weaknesses in alerting the attacker that the tool is running.
There is only one tool in my opinion, that approaches this concept as a true strategy: TrapX Security’s DeceptionGrid. It is a cyber security deception platform that can help organizations truly implement a deception-based strategy within a cyber defense and meets those requirements to ensure the right intelligence is collected while keeping the advisories in the dark and successfully preventing any advanced persistent threats (APTs) while providing early breach detection.