Deception as a defensive tool
![Image Europol Head of Operations discusses [dismantling of LockBit]](https://incyber.org//wp-content/uploads/2023/12/incyber-news-water-cybersecurite-cybersecurity-885x690.jpg)
Today, it is clear that cybersecurity is a fight and that its management can easily be considered as warfare. The jargon used is indeed a military one: attackers, campaigns, crisis, strategy, operations etc. A significant proportion of cyberattacks is thus linked to espionage or economic warfare activities. Among these many commonalities, there is nevertheless an area in the military world that remains relatively untapped in cybersecurity: tricks, or more generally deception operations. Yet these deceptive technologies hold great value for cyber-defense and, more importantly, for once are proactive and no longer just reactive. They are giving the edge back to the defenders.
Likened to ruse and stratagems, deception operations are an ancient war tactic that is little-known to the general public. They consist in concealing the nature and unfolding of operations to come. The goal is to trick the enemy, make him believe in an illusion that will undo him.
Although this approach is widely used in the military world, and its efficiency has been proven on numerous occasions, it remains seldom repeated in cybersecurity.
And yet many would say it is the only technology that gives the advantage back to the defender. The latter is no longer reacting to an attack but anticipating the attacker’s actions, taking note of the means used, the vulnerabilities exploited, the paths taken, in order to act (and no longer react) accordingly. In the constant struggle against cyberthreats, experts must monitor and analyze the evolution of cyber weapons and offensive strategies. The goal is to continuously adapt the company’s protection measures.
Contrary to many clichés, a deceptive approach is not a honeypot. And even though the latter may be a part of it, simplifying the approach in such a manner is too reductive.
In concrete terms, deception implies creating an information system that is similar to the one we want to protect, in terms of the components and architecture the cybercriminals will attack. The attack will amount to nothing but will allow the defender to gather precious information. This method is sometimes termed active defense because it creates a false perception of the attack surface. The objective is twofold. First off the deception monopolizes the attacker’s resources and is detrimental to his actions, which will not succeed. Secondly it enables the gathering of precious information that will improve the organization’s security. Normally, the advantage is to the attacker, as he only needs to succeed once to make his actions profitable, whereas the defense must thwart all attempts.
The deceptive approach is therefore very interesting, as it restores the balance of power and gives the edge to the defense, which can move in stealth. This trickery on behalf of the defender gives him a rare advantage against attackers by providing him with an early and precise detection of attacks and how they are led. The tricks are designed to detect criminal activity as the attacker is trying to figure out the information system, and setting up his move. Whether it’s a simple analysis or an attempt at downloading malware, once the attacker hits a trap, it is possible to observe the moves and methods used. This will allow the defender to better understand the manner in which attackers intend to spread through the information system. This information is vital in applying countermeasures to the real information system and thus protecting it.
Contrary to honeypots, which are generally external resources that draw in ill-intentioned individuals in order to identify them, deceptive solutions take a new approach by moving the ploys within the information system. These solutions implement active ploys in confined environments, and provide false identification information and data that would be inaccessible legitimately. If someone accesses these assets, an incursion took place, the security policy was violated and the risk is established. This detection mechanism is particularly useful in reducing the time the attacker spends undiscovered within the network. The current average of several dozen days leaves the attacker the time needed to carry out an attack.
Deceptive technology is thus seen as a silent alarm that warns its user as soon as an incursion takes place, and allows one to observe the methods of attack. The purpose is continuous adaptation in real time of the information system’s protection, without taking any risks, as the attack is striking a fake target.
With traditional detection methods, there can be a huge amount of information, requiring a heavy load of analysis and correlation. The deceptive approach simplifies and automates these processes in order to ensure the attack is stopped, flushed out, and unable to return.
A recurring issue is the risk of the attacker slipping out of the trap. In absolute terms, any technology can be compromised, and all the more so when intentions are bad and motivation is strong. But, in the case of deception, the advantage is that the cybercriminal is compromising, first and foremost, fictitious data, while being observed. Cybersecurity experts know exactly where he is, which path he can take or not, and can therefore better counter him, in real time.