This year at RSA, I saw many vendors offering “deceptive defense” solutions. Whether folks were buying them is another matter. The concept of using deception in warfare goes back to the dawn of time. Thousands of years ago, Sun Tzu wrote that “all warfare is based on deception.”1 IT deception as a hacking defense has been around since the beginning of IT security, as well. The first reported use of it by a civilian was in 1986 by Clifford Stoll creating fake files promising Strategic Defense Initiative2 secrets to lure a spy onto his network. This trick successfully entrapped a mercenary hacker working for the KGB. If you’ve never read The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage3, I highly recommend it. It’s a seminal work in the field of cyber security.
What is “deception as a defense,” specifically? The most common deceptive tool is the honeypot, a fake server or network service that is meant to attract attacker attention and secretly record information about their actions. As Lance Spitzner, the progenitor of honeypots for cyber defense, said: “…whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited.”4
A good honeypot could be a database server appearing to store thousands of credit cards. A hot target full of data is a great lure, especially if it appears to have weak access controls and is missing patches. Deceptive tools can also be false networks and routes created to trick or entrap attackers inside your network and draw them away from key resources. Deceptive tools can also include fake data stores such as fake payment card numbers or doctored intellectual property, planted the way Cliff Stoll did. A good trick is to plant honey tokens, which are tagged usernames and passwords for attackers, and then watch where they are used elsewhere. The Honeynet Project5 has a comprehensive list of deceptive tools.
One thing we know for sure, deception has value in a cyber defense. Fred Cohen proved this in 2001 by performing red team testing against networks using deception versus a control group.6 An interesting thing he uncovered was that even on networks without deceptive devices deployed, red team attackers were slowed down. As any Dungeons & Dragons player will tell you, constantly checking for traps takes time and energy away from pillaging and plunder. To quote Dr. Cohen’s study, “Deception works. Furthermore, it works well.”
Most deception tools currently in use by civilians consist of honeypots used by threat researchers to spy on bad guys’ trends, explore botnet C&C networks, and collect malware and exploits for analysis. This is not deception to serve in the direct defense of an organization but rather to power threat intelligence and anti-virus signature feeds. Outside of civilian usage, experts have reported off the record to F5 Labs researchers that honeypots and deceptive defenses are used within law enforcement and military organizations. However, that work is secretive and difficult to describe for obvious reasons.
Despite all the tools and positive research, why hasn’t deception as a defense caught on in mainstream cyber defense? It could be as John Maxwell said, "Most people are more satisfied with old problems than committed to finding new solutions.”7
Without a major championing organization, a “deceptive” security control will never be featured on any mainstream best practice list. This means it won’t appear on any compliance checklist, either, so no auditor would ever accept it as a “real” control. What CISO has time or budget for extra credit? Many CISO’s budgets are driven by compliance and best practice requirements. Without the outside blessing of deceptive tools, it’s hard to justify the money and personnel to support such a tool.
There are other downsides to deception. For one, having fake booby-trapped IT resources on your network can confuse your IT operations team when they trip over them. If you tell the IT staff about the deception, you run the risk of leakage or informing a malicious insider. Also, the legal department may feel that active measures such as deception could represent a potential liability. Lastly, deception works best when it is tailored to the environment and matches the current IT infrastructure. This means that deceptive work needs to be customized and unique with out-of-band alarm mechanisms. So, deploying, maintaining, and monitoring deceptive tools requires a significant workload. Very few organizations have that many cycles to spare.
So far, these downsides have been enough to keep cyber deceptive tools out of the mainstream toolkit. However, if your organization has resources and wherewithal, they are worth exploring as powerful tools to slow down and even trap potential intruders.