Visible to the public SoS Musings #22 - Exploring the Art of Deception in CybersecurityConflict Detection Enabled

SoS Musings #22

Exploring the Art of Deception in Cybersecurity

The performance of deception has mainly been linked to the realms of warfare, politics, and commerce, but this technique is now considered one of the more promising strategies that could improve cybersecurity. The use of deceptive strategies and technologies in cyber defense operations could further improve the prevention of malicious adversarial operations as well as reduce the exposure and theft of real technology assets. The main goals behind the use of deception in cyber defense operations are to detect, examine, trick, and lure attackers away from sensitive assets once they have successfully infiltrated a targeted system or network. Deception can be performed through the generation of traps and placement of bait, which consists of simulated assets modeled after real technology assets within a real or virtual environment. According to a new report shared by MarketWatch, the deception technology market has been forecasted to be valued at over $2.50 billion by 2022, indicating the expected rise in the development and application of deception technology.

Through the application of deception techniques and technologies, organizations can improve upon the reduction of the cyber risks they face as well as improve their security posture. It is important that organizations increase the speed at which they detect and respond to cyberattacks as the longer hackers stay within the network or system that they have infiltrated, the more damage they could inflict and the harder it is for them to be detected. These damages include the theft of sensitive data, deletion or alteration of files, planting of malware, and more. As the use of deception technology fools hackers into thinking that they have gained access to assets such as workstations, servers, applications, and more, in a real environment, security teams can observe and monitor the operations, navigation, and tools of the hackers without the concern that any damage will occur on real assets. False positives are reduced by deception technology since any access to the deception layer can be considered malicious, thus immediately triggering alerts to accurate events. The information gathered through the application of deception technology such as the behavior and methods of attackers can be used to quickly detect and respond to attacks, post-breach, as well as develop better defense strategies and technologies.

There have been advancements in the research and development of deception technology. Cyber researchers at Sandia National Laboratories apply deceptive techniques in a patented alternative reality, called HADES (High fidelity Adaptive Deception & Emulation System). This system applies deception in that hackers are lured into a simulated reality upon entering a network, which includes replicated virtual real hard drives, memory, and data sets, some of which have been modified in a discreet manner. Within this environment, hackers will expose their tools and techniques as they operate or try to discern from real or fake data. The top vendors in the realm of deception technology includes Illusive Networks, Attivo Networks, Smokescreen, Trapx and Cymmetria. Illusive Networks has been recognized by Frost & Sullivan for offering the best cyber deception technology that allows organizations to detect and trap attackers through the use of a deceptive path as well as generate detailed forensics data such as the specific activities, tools, and files of the attackers, along with the command and control center with which they are connected. Assistant Professor, Guanhua Yan, and PhD student, Zhan Shu, at Binghamton University are conducting research in support of further improving the effectiveness of existing cyber deception tools by making the deception of such tools more consistent. The computer scientists want to ensure that the deceptive environment remains consistent with what hackers have already observed as they navigate, so that environment is not recognized as deceptive.

Although deception technology offers benefits such as the early detection of attacks and the reduction of hackers' dwell time in a network, it is still not a silver-bullet solution for cybersecurity defense. Deception technology should continue to be improved in that the deceptive environments in which attackers are trapped, must remain consistent with what they have already observed as they navigate in order to prevent the detection of deception. In addition, deception technology must continue to evolve alongside the everchanging cyber threat landscape by continuously being fed with threat intelligence to alter its decoys.