Cyber deception – five years in
Five years in, cyber deception has changed everything in how we run security operations.
There is nothing more frustrating than going to work every morning knowing that we are going to lose. If the attackers want it enough, there is little we can do. Cyber deception takes a different approach. By allowing us the advantage, visibility, and control of our own networks – we can determine the attacker’s path, detect them, and control where they will go.
Strategically, we are finally dynamic. Maneuverable, we move beyond building static controls dooming us to analyze after we are already compromised. We no longer need to defend everything while the attackers need only one successful attempt. The burden of anomaly detection can shift to the attackers. Attackers can no longer simply research our tools, change a couple of bits, and bypass us. We can be agnostic to attack type (even to a 0day), and still, be effective — Even if we are bypassed.
With the industry’s acknowledgement of the “assumed compromise” stance, where the attacker is assumed to already be in our environment, we need better controls. We should expect more from our vendors. We need to deploy controls beyond the endpoint and the edge. Lateral movement is where we win, as attackers attempt using our own credentials and our own persistent, or authorized, paths.
Cyber deception is complex, but the basics can be summed up thus:
1. While attack tools change, the attacker does not. Methodologies remain the same. Therefore, attackers are predictable.
2. As attackers will search for our own information (credentials, shared, cookies) to understand how to build their operations, and we control that information — we control them.
By leaving a piece of data, a breadcrumb if you will, on an endpoint, the attacker can no longer rely on the data collected. You incept attackers straight through the OODA loop. They can no longer just enumerate through the data and pivot. For the first time, they must tread carefully.
It’s no longer about them needing to succeed only once. If they make a wrong move and follow a breadcrumb to a fully instrumented decoy machine — they are done. The operation is blown, and their toolset has been taken.
Stuxnet had code in it which was 12 years old. Imagine yourself as the head of a threat actor organization. After 12 years of running successful intelligence operations, in one day — your capability is destroyed.
Assuming a threat actor runs 2500 operations a year for intelligence gathering, which in turn support more operations generating yet more intelligence, and of course your inability to launch new collection operations for a while, you are facing strategic damage.
This is the power of cyber deception. It changes the attackers’ whole game plan. From budget to KPIs, they are now slower, and their overall economic cost is increased exponentially.
Unlike five years ago when people asked me “deception what? Honeypots?” the market now understands what cyber deception is and that it’s the real deal. APT targeted threat actors have been caught proving its veracity, and thousands of organizations now deploy the capability.
As the founder of Cymmetria, I am proud to be a part of this rapidly growing industry. As a security practitioner, I’m proud that cyber deception sets a new standard for other security tools and controls, where we no longer accept passivity, and demand clear wins – not alerts.