How to use deception and concealment to improve IT security

Making use of deceptive tactics has been the game plan of cybercriminals for years. Now organisations are turning the tables and using the same techniques as a form of defence.

Used in conjunction with established security strategies, deception and concealment can significantly increase the resilience of IT infrastructures and ward off potentially damaging and expensive attacks.

As the name would suggest, deception involves tricking an attacker into thinking they have managed to gain access to valuable digital resources. However, instead of gaining that access, they are instead guided to alternative resources that have no value at all. Concealment works differently and instead of interweaving decoys within production assets or data, it makes real objects disappear, leaving only the decoys for attackers to see.

These tactics are achieved by first, hiding and denying access to data, Active Directory objects, and credentials. Misinformation can also be returned to the attacker for futher derailment. Next, a range of decoy assets can be deployed across an organisation’s IT infrastructure. These could range from applications to databases that appear authentic but actually have nothing to do with daily activity.

Because these items are not actually in use, any attempts to access them are indications that an attacker has successfully gained entry into the infrastructure or are conducting unauthorised activities. A notification can be sent to the security team which can take further steps to remediate the exposure and neutralise the threat.

A strategy of deception and concealment is particularly valuable when it comes to protecting high-value assets. These could be anything from power generating or water purification facilities to satellite constellations or defence systems. It becomes an additional tool for security teams that must constantly strive to be a step ahead of the cybercriminals they are battling against.

Two approaches to deceptive security

When an organisation opts to undertake a deception-based approach to security, it can be done in two different ways. The first is to conceal real information, use misdirections, and deploy deceptive assets into the infrastructure and then be alerted when they are accessed. The security team can then quickly identify how the attacker gained access and plug the hole to ensure it can’t be used again.

A second approach involves using deceptive techniques to monitor and manage attackers. When an unauthorised intrusion engages with a decoy, the security team can monitor how the attacker is moving through the network and what types of assets are being sought.

The techniques used during the attack can be analysed and used to further strengthen the infrastructure security measures that are in place.

Business benefits of deception

Regardless of the strategy chosen, making use of deceptive techniques can deliver significant benefits to an organisation. Firstly, it can reduce the time it takes to identify an intrusion and take steps towards remediation. As soon as the unauthorised activity is detected or the decoy assets are accessed, the security team can be notified.

Deception assets can also lead to an attacker revealing their presence within the network much earlier than would otherwise have been the case. Any lateral movement that involves the assets can trigger a flag and prompt action.

The technique can also work well with existing security measures. No changes are required to components such as firewalls or signature-based security tools. It simply creates another layer of protection for the organisation. Plus, through native integrations, attack data can be shared for automated isolation, blocking, and threat hunting.

It can also assist in preventing damaging ransomware attacks. Attackers can be tricked into installing their code on a decoy data storage asset, thinking they have found something of value. They can then be neutralised before they can cause any actual damage or disruption.

The data gained from attempts to access deception assets can also be used to map attack tactics to MITRE ATT&CK® and to further strengthen defences. Studying the techniques being used by cybercriminals can demonstrate to teams just how well their existing tools are performing.

With the cyberthreat landscape constantly evolving, security teams much work hard to ensure their defensive measures are as strong as possible. By adding deception and concealment to the mix, important digital assets can be further protected against even the most advanced potential threats.

Jim Cook
Jim Cook is ANZ Regional Director at Attivo Networks, an award-wining leader in cyber deception and attacker lateral movement threat detection. Cook has more than 20 years’ experience in the IT industry in both Australia and the UK and was previously ANZ Regional Director at Malwarebytes. Prior, he was Country Manager at Fortinet and also worked at Check Point Software Technologies for nine years in several sales positions.