26.02.2018
The Art of Cyber Defense: Security by Deception
I’m sure many security professionals are familiar with The Art of War by Sun Tzu. This book, dating from the 5th century BC, is a timeless classic. Although it was written as a treatise on military strategy and tactics, many of the concepts are applicable to other disciplines as well. Even more so, it’s the basis for my personal philosophy on cyber defense.
Most cyber security firms still focus mainly on reactive defense. I don’t believe this is the right approach. When you detect an attack and immediately block it, this alerts the culprit. He will then try a different method of attack, leaving you in the dark on what his next move will be. As a result you effectively waste the opportunity to get to know your enemy.
In the words of Sun Tzu: ' Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots'. Sun Tzu, The Art of War
I believe active defense and deception are necessary to stall, sabotage and eventually trap your enemy. You have to actively disrupt their business model and keep them occupied. The more time and money they burn on their attack, the sooner they will stop and move on to an easier target.
Anatomy of an attack
So how does this translate into a concrete method for active cyber defense? First we focus on the attack itself, always consisting of the following stages: recon, scanning, gaining access, maintaining access and covering tracks. The actions involved are often (partly) executed by automated tools. By monitoring an attacker’s activities you can find out which tools he is using, and learn which options you have to defend against them. In most cases these tools can be rendered ineffective fairly easily.
But that’s not your main objective: you want him to reveal a lot more data about his skillset and motives. Are you dealing with a random attack by a script kiddy or are you targeted by a serious hacker collective? To keep on gathering data you don’t block the attack, but prolong it. You want to lure your attacker into a false sense of security and allow him to use his tools and techniques. This will show you exactly what he knows about your applications, networks, company and employees. This will help you create the most accurate profile of your attacker and provide you with the best possible way to defend against him.
Of course there is an inherent problem with this approach: the attacker will eventually succeed if you give him enough time. This means you need to stall him.
Enter the honeypot
Given the volatile cyber threat landscape I believe honeypots are the way forward to increase security. They offer a safe way to allow attackers to gain access to your systems, so you can keep them occupied and study their behavior. You can then monitor what tools and techniques they are using. How do they elevate and maintain access? Do they deploy malware, and if so, what kind? Do they have insider knowledge about the network and are they looking for specific systems or files?
In addition to your honeypots you need optimal visibility of your network(s). That’s a crucial part of being in control. Don’t just trust your firewalls and IPS, but monitor each of your (separate) networks using threat hunting tooling. You need to see exactly what goes on in your network. If you know which devices are communicating with each other, you can detect anomalies. You can also use techniques like passive DNS monitoring to find out in time if someone is brute-forcing your DNS. And even when there is no malicious activity in your network at all, using the right monitoring tools will probably help you find a lot of unexpected configuration errors. Using deception
To increase the effectiveness/attractiveness of your honeypot, you need to go a little bit further. Here we enter the realm of active defense.
One way is by placing hidden, Google-indexed, pages on your website, containing specific fake e-mail accounts. These can then be set up as easy attack vectors to gain access the fake e-mail server in your honeypot, or simply to trigger alarms. You can also create easily compromised LinkedIn pages for non-existing employees, that can help an attacker to gain access. Yet another method is by registering specific DNS entries, leading to the honeypot. When one of these is being hit, using a URL you don't use, you know that someone has brute-forced your DNS. In all these cases you’re creating custom attack vectors for potential attackers. You want to lure them to your honeypot, away from your actual network, to trigger timely warnings and provide you with in-depth intelligence.
Another effective method of luring an attacker is by giving him exactly what he’s looking for. Is he scanning for open ports using Nmap? Then present him with 65.535 open ports by replying to each SYN with a SYN-ACK. This will either give him a lot of work, or discourage him to go any further.
Or perhaps he’s scanning for vulnerabilities in web applications? Just return 200 OK on all scans. When the attacker is presented with thousands of exploitable vulnerabilities he will have a hard time finding the real ones. By using these techniques you’re basically rendering his tools useless. You’re causing him to invest much more of his time and effort to hack his target, disrupting his business model.
But why don’t we get even more creative? It might be even better to include some interesting SQL injection errors randomly into a web application. Give the attacker false information, such as wrong paths, wrong headers or incorrect error messages. And lastly you can generate falsified user accounts, which will trigger on logins. On login failures you can redirect the attacker to your honeypot and allow him to succeed in his attack.
Using these techniques you’re in total control. You’ve placed your opponent in a glass cage, a place where he can do no harm, while active stalling him and studying his every move.
More active defense techniques
By gathering intelligence on the skillset and background of an attacker and the tools and malware he uses, you're one step ahead. This helps you to make an accurate risk assessment and take basic technical measures, such as updating your endpoint security tooling with the necessary signatures. This, however, is essentially still an old school security approach. Active defense goes much deeper.
In the next blogs of this series I will focus on various active cyber defense techniques, big data analysis, as well as some cunning deceptions to further stall and discourage attackers. I’m looking forward to your comments and suggestions.