John, Don’t Fire Me

Deception as a technique in physical confrontation is not a new concept. Think Trojan horse or trapdoors. Think misinformation and psychological warfare. Think Mark Rober’s glitter bombs. Everyone goes to Sun Tzu for war advice, and he said, “All warfare is based on deception.”

We all know about deception used by attackers — phishing emails, social engineering, sketchy executables disguised as something benign, etc. But why should the offense have all the fun? Why would the blue team build up our defenses, and then sit around waiting to be attacked? It’s good for us to build our moats and walls, but what about the guys (and gals) that sneak in? (And they will.)

Any well-rounded defensive program should include cyber deception. But what is it? Why should you consider it? Is it difficult to implement? (Hint: it’s not.)

What is Cyber Deception?

Cyber deception is a form of active defense. It often involves setting up a juicy target that is rigged to help detect, identify, distract, or deter attackers (or Annoy, Attribute, and Attack... because apparently AAA is a cool acronym that is underused). What are the benefits?

It’s obvious that detection is important. You want to know when you are actively being targeted. Deception can be used to fill in detective gaps. Maybe the execution of that tool was missed, but a canary account was touched and it set off the alarm. The more lasers the bad guy has to avoid, the better.

We also have a great opportunity to use deception to find out WHO is attacking us. We can follow the trail from that tripped canary to see what host has been compromised (or maybe it’s an insider threat?). A honeypot can be monitored to see who is trying to take advantage of it. Poisoned documents can serve as our own Trojan horse that calls home with the information of whoever stole it. If we know who is attacking us, we may learn why they are targeting us, what techniques they use, or how skilled they are.

Another hugely important benefit of deception is wasting the attackers’ time. We get to be really annoying and creative here. We point them to empty chests, and they break them open to find no treasure. We can poison their enumeration, or slow down their attack with a tarpit. The more times a hacker fails and goes after another target, the more chances we have to detect them. The more time spent wasted, the less time they spend succeeding.

Of course, the ultimate win with deception is deterring an attacker from continuing their attack or going after us at all. Annoyance can tie into this. A fly-by attacker isn’t going to waste their time in an obnoxious environment when they just want an easy win. Not everyone will be deterred, but in general, attackers want to take the path of least resistance.

Making Deception Work for You

Effective implementation requires action. It does no good to incorporate deception if it is not being monitored or nothing is done with the information. Create detections for canary accounts (and tune them!), quarantine devices, block the attackers out, use the knowledge gained to inform defensive decisions.

Cyber deception is also not magic. It cannot, and should not, replace the fundamentals (patching systems, firewalls, segmentation, security policies, etc.). Deception should be the cilantro on the taco (icing on the cake is overdone) for your defensive strategy. It should fill gaps and provide visibility and intelligence where there was less or none previously.

Finally, always operate with integrity. Cyber deception is fun, but keep in mind the needs and policies of your organization and the current limits of the law. We’re not here to be vigilantes or law enforcement (unless you actually are). Protect what belongs to you, but don’t become the bad guy to get back at one.

Are We Done Yet?

Almost.

There are so many wickedly brilliant deception tactics and tools out there. There are tools and techniques you can use to not only fool the attackers, but also attribute attacks to them, or even attack back (legally). If you’re at all interested in deception and learning some (only a little evil) tricks, check out John’s class, Active Defense and Cyber Deception. This article is a pond; John’s course is the ocean.

Now, let’s go set some trip wires and make the attackers catch themselves!

Resources

John’s Class: https://www.antisyphontraining.com/active-defense-cyber-deception-w-john-strand/

ADHD: https://adhdproject.github.io/

Glitter Bombs: https://www.youtube.com/watch?v=xoxhDk-hwuo