psdesign1 - Fotolia

Steal a march on cyber criminals through security by deception

Security by obscurity, although a common and tempting practice, is generally not recommended, but security by deception offers a way for defenders to make it more difficult for attackers to succeed and easier for defenders to catch them

Running a company is not easy, and business owners face a multitude of risks daily, but cyber crime is either not at the top of the list of concerns or may even be overlooked, despite cyber criminals continually targeting companies to steal lucrative business data.

Cyber crime statistics paint a bleak picture for businesses. According to the latest Cyber Security Breaches Study – compiled by the UK government – nearly seven in 10 British companies have been hit a cyber breach or attack in the past year, with the average cost of breaches for firms around £20,000, but in some cases, the cost was in the millions.

Dealing with cyber crime is not easy, either. Cyber criminals are constantly coming up with new ways to hinder company IT security systems, and they are doing this at a great rate.

There is also the challenge that the cyber security market is somewhat fragmented, with many companies offering products in this arena. Key decision-makers are then left with the complicated task of coming up with an effective remedy.

One increasingly popular new approach that companies are using to fight cyber crime is security deception, the act of using fake online environments to trap digital crooks in the act.

Also commonly known as hotspots, businesses are using this creative computer security method to detect and then kill cyber breaches.

Often, these approaches are centred around data that appears to be a part of a company’s digital infrastructure – while it is actually a trap. But how effective is this form of cyber security management?

Turning firms into secret agents

Many businesses are being drawn towards deception technology because it allows them to trap cyber criminals in relatively secure, controlled settings, so there should not be a scenario where a firm conducts an act of deception and it goes wrong.

Simon Plant, senior manager at virtualisation specialist Bromium, says this technique lets companies act as though they were secret agents.

“Imagine being bombarded by an advanced persistent threat that avoids detection, and moves covertly through your systems over time. Imagine if you could be a secret agent like James Bond 007 and lay booby traps to catch the evil villain, all within the safety of an isolated environment? With deception tech, you can,” he tells Computer Weekly.

“That’s why it is fast becoming the ‘must have’ for enterprises. Gartner predicts that by 2018, 10% of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.

“Like an undercover spy, deception technology allows organisations to create isolated virtual honey-traps by leaving fake credentials and documents for hackers to steal,” he says.

Once a company is able to trap a cyber criminal, they can gather analysis around the type of attack and how it happened in the first place. “The attacker can be tricked into following a false trail of breadcrumbs to what appears to be valuable data and then trapped in a hardware isolated virtual machine,” he says.

“From here, actionable intelligence can be gathered and investigated, such as where the attack originated and what files or data was targeted. The intelligence can then be shared to help improve security throughout the organisation.”

Understanding cyber criminals

Guy Bunker, senior vice-president of cyber security company Clearswift, has spent much of his career protecting businesses from hackers. He regularly advises businesses of all sizes on cyber security matters, and security deception has become popular trend among his clients. He says cyber trickery is key in understanding the motives of criminals.

“Dealing with cyber attacks is a war. One way to find out what ‘the enemy’ has is to get them to reveal their hand – by getting them to attack something which appears to be of value, but isn’t,” he says.

“When a new server appears on the internet, it is usually only a few minutes before it is ‘probed’ to find out who the new kid on the block is, while some of this is carried out by legitimate organisations.

“There is also the other side which is looking at how the server could be exploited – what applications are on it, have they been patched, and know vulnerabilities which could be exploited to gain access and control.

“Cyber researchers have long been used to setting up systems to be attacked on purpose, which are known in general as honeypots. However, there are specialisations of this, with the ones looking for spam are known as spamtraps, for example,” he says.

While honeypots have become a popular cyber security tactic for businesses, Bunker says there is still need for caution because cyber criminals can easily identify these techniques if they do not appear to be authentic. 

“The key to a successful honeypot is for it to look like it is a legitimate system – linking them together to create a network, with a firewall and with some systems inside ‘the organisation’ while others are outside to act as the first point of contact,” he says.

“Tools are then deployed to monitor activity and behavior of the system, picking up both the approaches made and any successful intrusions which take place.”

“This is not as simple as it might appear, as the people doing the probing or attacking are also well aware of the honeypot, and so will examine the systems for clues that might reveal a trap and back off quietly.

“It’s a game of cat and mouse being played out remotely across the globe. The key to a successful fake environment is that it needs to be as close to ‘real’ as possible. There needs to be ‘users’ and ‘traffic’ being simulated on the box, so that someone looking from outside believes that it is real.

“Any monitoring tools above and beyond what might be installed on a real system need to be covert – often this is done through running virtual machines.”

Rise of deception tech

Based in San Francisco, Pivotal is one of the cyber security specialists developing deception technology and offering it as a key service to businesses.

The firm recently announced a feature for its Pivotal Cloud Foundry (PCF) product called CredHub, which rotates datacentre credentials every few minutes or hours. Every time the credentials rotate, the data becomes useless to hackers, turning the system into an unsolvable game and rendering leaked credentials far less damaging.

Justin Smith, chief security officer of Pivotal, believes that companies should set up several sets of credentials and rotate them regularly to trick cyber criminals. “To many, hackers are the apex predators in the digital food chain. We reject that notion. Instead, it’s important to remove a key ingredient a hacker needs to mount a successful attack: time,” he says.

“Repair newly disclosed vulnerabilities; repair servers from a known good state; and rotate your credentials regularly. This should be done automatically and frequently. It’s not a cure-all, but it does reorder the digital food chain.”

According to Smith, attacks require some or all of the following: time, vulnerable software, and leaked credentials. “These ingredients have proven stable over time, certainly since 2000. If a user’s email credentials are like a winning scratch-and-play lottery ticket, then distributed system credentials are like a powerball-here’s-your-private-jet-plus-a-billion lottery ticket,” he says.

To many, hackers are the apex predators in the digital food chain. We reject that notion
Justin Smith, Pivota

“User credentials tend to expose access to what a person can see, distributed system credentials tend to expose what a whole company can see. Our approach to this problem is a bit different, but being able to rotate these credentials quickly takes the sting out of credential leakage. It also means you can detect leakage much more quickly.”

Scott Zoldi, chief analytics officer at analytic software company FICO, says artificial intelligence (AI) is a transformative technology for trapping hackers. “Defensive AI is when the environment responds in such a way as to mislead attackers,” he says.

“If they believe they are being monitored, these models selectively deceive or return incorrect outputs. They might return scores that are backwards, or create patterns that make the adversary modelling dataset inaccurate and consequently the attacker’s AI less effective.

“Clever score responses could even guide the defensive AI to create artificial patterns in a learned offensive AI, making the criminal’s use of the offensive AI model easier for the bank to detect. As defensive AI thwarts criminals’ attempts to measure it, criminals and their AI will find it much harder to determine which responses from defensive reactions are legitimate.”

Crucial part of cyber strategy

Pervade Software, which is an independent technology company based in Cardiff, is an example of a company actively using honeypots and deceptive techniques to stay abreast of the latest attacks used by script pros, automated scanners and hackers.

Jonathan Davies, director of engineering at Pervade, says these methods have become a crucial part of the company’s cyber security strategy.

“The simplest type of honeypot that we use is directly adding a server with minimal protection to the internet and logging all communications to that server.

“This provides an interesting insight into the techniques used by automated scanners – mostly hosted in Russia, China and Vietnam right now – and shows just how quickly servers can be detected and attacked, typically less than 30 minutes. We try different types of operating systems to see if the attacks used change,” he says.

“In addition to honeypots, Pervade has anonymously built several websites that primarily provide basic blogging and messaging features, ranging from 3,000 hits per month to over a million. These websites are used by several hacking groups and because of the content posted they regularly come under attack by rival hacking groups.

“We agree – anonymously – to keep these sites online in spite of them being constantly attacked so we can analyse the attack methods used. We find the data from these servers to be extremely valuable and allow us to create correlation rules in our OpView software that specifically detect the attacks used.”

Cyber security is a fundamental part of daily business operations in the modern world, and the threats are constantly becoming more complex and greater in volume.

While there are a plethora of cyber strategies out there, deception has emerged as one of the most effective because it can help firms take down cyber criminals quickly and give them an insight into their illegal activities.

Read more about deception technology

  • There’s nothing to beat good honest deception.
  • Deception, proactive defenses can better protect IP.
  • What are the best security controls to ensure a safe working environment where employees do not have the unfair pressure of being the first line of cyber defence?

Read more on Hackers and cybercrime prevention