With increased complexity due to the expanding digital attack surface, a growing cyber skills gap facing IT and OT leaders, as well as a dynamic and evolving threat landscape, organizations need to constantly evaluate their cybersecurity strategies to make sure they reduce their cyber risk as much as possible. One technology that is showing great promise, especially for the reconnaissance phase, is deception technology. Deception can provide value across the attack chain by not only deceiving adversaries, but also detecting, enabling forensics data, or even helping with real-time mitigation. Fortinet’s Moshe Ben Simon, Vice President of Product Management, offers his perspective on the value of deception technology today to help CISOs interpret the role of the technology in helping reduce overall cyber risk in both OT as well as IT environments.
Moshe: Deception technology intervenes early in the reconnaissance phase in an attempt to lure and deceive cybercriminals, giving organizations the ability to detect their activities early in the kill chain. Deception technology aims to attract adversaries away from an organization's true assets and divert them to a decoy or trap before they can move laterally in a system or encrypt data. The decoy mimics legitimate servers, applications, and data so that the criminal is tricked into believing that they have infiltrated and gained access to the enterprise's most important assets when in reality they have not. The strategy is employed to minimize damage and protect an organization's true assets. Deception technology relies on the idea of a network honey pot, which is the precursor to today's multi-faceted and more advanced cyber deception, which includes fake assets, data, or information that functions alongside production systems. Unlike the classic honeypot strategy, a successful deception technology will provide several layers of protection. Deception technology is unique because of its ability to get into the “mind of the attacker.” In fact, deception is an active defense approach, recognized by MITRE with MITRE Engage, meaning that you can engage with the attacker to detect malicious activity. From there, organizations can analyze attacker activity to better protect themselves from future attacks.
Moshe: Although many CISOs may be aware of the value of deception technology, they may not realize that it is a great tool to detect ransomware. By feeding ransomware with fake files, and by letting the ransomware encrypt these fake files, it is possible to identify the ransomware, no matter how sophisticated. Ransomware needs to encrypt, and by feeding it fake files, it is possible to trick attackers by presenting what they’re looking to find.
In addition, deception technology can reduce the frequency of false positives, allowing IT teams to focus on the attacker's movements, which is important in regard to ransomware. It can also reduce the amount of noise and alerts which can evolve from multiple point products being used in an environment.
Perhaps one of the most frequently misunderstood values of deception technology is the ability to do a mitigation response. Mitigation essentially quarantines or isolates an infected asset before taking it out of the network completely. Good deception technology can take ransomware out of the network quickly, to avoid disrupting real files.
Moshe: Knowing your environment and having visibility into key assets is crucial to setting up deception technology. Deception technology relies on virtualization, which will allow deception technology to automate deployment. Good deception technology will, for example, generate a network asset inventory automatically. Based off the inventory, the platform will automatically build the deception components, as well as analyze and deploy the decoys to mimic an environment. Even more, deception technology can provide security teams with visibility into what resources an organization has, and how well a deception deployment is covering these resources.
Contrary to the belief that deception technology can only be implemented for large enterprises, it can actually be especially applicable for smaller organizations that may not have the budget or staff to implement more complex tools or employ a comprehensive security team. Many types of organizations can benefit from deception's improved visibility.
Also, in regard to operational technology (OT) environments, deception can provide unique value. Most industrial control systems lack security by design. In addition, limited built-in security controls in legacy systems leave sensitive and critical devices unpatched or unmonitored. Often, patches are not available, and even if they are, maintenance windows are costly and measured in months or even years due to safety and reliability priorities. Also, since OT environments are disparate, deception can provide compensating control.
Moshe: At a high level, good deception technology should enable three models: 1) deceive and detect, 2) forensics, and 3) mitigation. Deception basically acts like a security camera, capturing adversary activity starting from the moment the attacker engages with the decoy. Further, it analyzes the attack automatically, generating threat intelligence, and describing the entirety of the attack stream – landscape, behavior, technique, etc. It also breaks down the attack in a timeline to easily understand with data to identify other infected areas of the network based on the adversary’s IoC’s.
Learn more about how cyber deception technology is a very effective method to detect and mitigate advanced cyber threats.