I’ve been pondering the use of deception and variability to defend IT assets. Honeypots have been discussed in this context for quite a while, yet their initial implementation failed to take off as mainstream components of a security architecture. Now that some time has passed, new ways of utilizing deception for safeguarding enterprise environments are making such approaches more practical. This area is ripe for innovation.
Getting Started: Non-Computer Deception
Looking at how deception was used during World War II can set the stage for considering how to employ such tactics. According to a paper by Donald J. Bacon, Allied Forces confused and misdirected the enemy by incorporating ambiguity and misdirection into their operations. The paper also attributed many Soviet victories during the war to the full integration of deception into operational planning and execution. These are just some examples of the many times when deception was used in warfare before the age of modern computer systems.
Early Examples of Deception in Computer Security
A historic perspective on the use of deception for computer security comes from the account of Gene Spafford of his work during 1989-1993. Gene described the “active defenses” he employed to identify attacks in progress, slow down attackers, learn of their techniques and feed them fake data. His approaches included:
- Fake user accounts that had access to fake data that was kept current
- “Bait” files that looked attractive to intruders, but weren’t accessed during normal operations
- Service emulators that would process connections very slowly and generate fake errors
- “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded
- Altered programs that, when used by the attacker, included beacons and other unexpected features
Gene stated his belief that “too few defenders these days build forensics capture into their systems to help identify intruders. They also don’t have active defenses, countermeasures and chaff in place to slow down attackers and provide more warning of problems.”
Deception on the Network
Many of the deception techniques discussed by Gene were implemented later through the use of honeypots. Around 1999, the Honeynet Project came into existence, infusing innovative thinking into such ideas and approaches to discovering attacks and learning about attackers’ capabilities. The most comprehensive commercial product in this space at the time was probably ManTrap by Recourse Technologies. Symantec acquired the company in 2002 and discontinued the product a few years later.
The idea of honeypots faded into the background for a while. People were reluctant to deploy them on production networks due to support costs, risks and low perceived value. Yet, people continued to make free specialized honeypot tools, as is evidenced by the likes of Dionaea for detecting and capturing malware, Kippo for SSH, Glastopf for web servers, InetSim for various network services and so on. (The Modern Honey Network provides a convenient way of experimenting with some honeypots.)
John Strand and Paul Asadoorian began exploring the use of deception in the context of offensive countermeasures and publicly shared their ideas. For instance, they showed how a small script can be used to automatically shun the attacking IP address that tried to connect to a decoy port on Windows and on Linux.
More recently, a new generation of commercial network deception technologies was created by companies such as Thinkst, Cymmetria, TrapX and Acalvio. Such products are often positioned as a way of detecting adversaries’ lateral movement through the organization. Gartner began to pay attention to this space, though their discussion of deception has been focused primarily on network-based application of deception principles.
The increased use of cloud-based services might make it easier to utilize network deception in the enterprise. A few years ago, Mike Rothman described the idea of HoneyCloud, which would be used to deploy network deception elements into a private cloud to minimize production risks. Moreover, the biggest advantage of cloud technology is its elastic capabilities that, combined with support for automation can allow an organization to integrate deception capabilities into the fabric of its IT operations. Some network deception vendors incorporate this notion into their products.
Deception at the Host
Deception principles can be incorporated into a modern enterprise security architecture in a manner that goes beyond honeypots. For instance, Ben Jackson released free tool called WebLabyrinth, which is designed to confuse and slow down malicious web crawlers. In another host-focused example, Thinks Applied Research makes it convenient to set up a decoy URL to catch attackers as the perform reconnaissance on the web server. Though both of these approaches employ deception technology on the system, the deception elements are accessed directly over the network.
While the scenarios above focus on using deception to detect attacks and perhaps slow down the adversary, Minerva Labs uses deception principles on the endpoint to prevent intrusions altogether. I’m VP of Products at Minerva, so this is my cup of tea. Minerva’s objective is to fool malware that attempts to evade baseline anti-virus tools into crashing or “deciding” not to infect the system. For example, Minerva simulates the presence of forensic tool and sandbox artifacts, so that evasive malware shuts itself down rather than risk being analyzed. This approach uses deception against computer automaton, rather than attempting to fool a human adversary.
Here’s another host-based deception approach: Some malware, such as ransomware and remote access trojans, is programmed to avoid infecting the same system more than once. By generating the artifacts that the specimen uses to determine whether it’s present, defenders can fool such malware into “believing” that it’s already on the endpoint and terminating itself. This concept is known as malware vaccination.
Deception as Part of Enterprise Security Architecture
Deception possibilities go beyond the network and host-based examples outlined above. For instance, creating a decoy user account and setting up an alert when it gets used is a way to use deception for detecting a possible compromise. In another scenario, Thinkst honeytokens can be set up as decoy documents to detect an intrusion. Some day, the notion of a honeypot persona might not even sound too strange.
Even if we limit ourselves to looking at deception on the network and at the host, we can see that deception approaches are starting to progress beyond the early ideas proposed by Gene Spafford. IT security practices have evolved to make room for incorporating elements of deception onto the broader security architecture. Local and remote computing capabilities allow for use cases that would have been impractical a decade ago. As the result, enterprise-focused deception vendors are finding ways to incorporate their capabilities into the overall IT infrastructure.
One of the lessons in the use of deception during World War II is that to be successful, such efforts cannot be silo projects. They have to be centrally managed and integrated into the fabric of IT operations.
This post was originally published on Lenny Zeltser’s personal blog