Leveraging Deception for Breach Protection

According to a recent study conducted by the Clark School at the University of Maryland, computers with an Internet connection are targeted by hackers an average of every 39 seconds. And according to an IBM/Ponemon study, the average cost of a successful data breach in 2018 resulting from just one of those attacks getting through ranged from $1.24M in Brazil to $7.91M in the US.

It’s a tough time for a CISO to get a good night’s sleep. Let’s unpack why attackers have had such success. First, about 60% of cyber incidents inside an organization are caused inadvertently through some form of human error. That is an issue for another paper. The rest, however, are malicious. Again, in another report by Ponemon, about 38% of those malicious attacks can be traced back to an employee or contractor, while the rest can be attributed to external threats launched by hackers and organized cybercriminals.

Attackers are Almost Always Faster Than Defenders
Next, in order to beat time-to-response goals set by most organization, attacks move fast, and they are able to do this with surprising intensity and volume due to continual investments and innovations being made by threat actors. As a result, the average time it takes for an attacker to breach a system and escalate privileges is now just over 4 and a half hours, with some Russian hacking communities regularly coming in at under 20 minutes.

At the same time, the goal for many defenders is to remove a breach within 8-12 hours. However, the average containment time is actually closer to five days. And that’s after detection. Time to detection, according to IBM, is another 197 days.

Even independent cybercriminals that don’t have the same resources as organized crime can leverage Malware-as-a-Service and machine learning to automate and accelerate their threat campaigns. Many of these “as-a-Service” solutions available on the Dark Web for a fee are highly adaptable and effective due to things like machine-based polymorphism and the use of exploits to bypass updated security controls. Coupled with the fact that malware authors have adopted Agile development to create next-generation malware with even greater efficiency, it seems clear that most organizations are losing the race to keep pace with external threats.

While malicious insiders usually have a different set of motivations, they can have a similarly devastating effect on the organization as any external actor, with the advantage of already being a trusted user. And while an insidious employee may be looking to steal intellectual property or participate in insider trading, a disgruntled employee may be content with simply destroying valuable assets, which is certainly faster and often easier than locating and exfiltrating data.

The one thing these different actors have in common is that achieving their goals can be measured in hours or even minutes, from initial compromise to achieving the ultimate objectives of their attack, e.g. data exfiltration, data destruction, and so on.

Most Security Was Not Designed to Address Successful Breaches
The reality is that most security deployments aren’t really designed to address threats that have managed to get past their perimeter defenses. Which is why most organizations only realize they have been breached weeks or months after an event. That’s because even those organizations that do have some sort of security defenses inside the perimeter have failed to set them up correctly.

IT teams that have adopted or plan to adopt a security infrastructure to handle both external and internal threats typically end up with two completely different security solutions in place. So once a breach has been discovered, it is usually far too late to do anything about it, and most likely that’s because these security solutions don’t really talk to each other. Actual threat discovery is often either inadvertent or due to the hand correlation of logs to discover events. And even then, fully remediating the system to protect against future threats can be time and resource-intensive, and so is often neglected due to resource limitation. Complicating this further is the gap in InfoSec workforce experienced globally creating an impediment to managing threats response and security infrastructure that increases the risk of a breach exponentially.

Using Deception to Fill Security Gaps
Deception helps address the two-pronged approach to breach protection described above by redirecting both external and internal threats away from critical assets. The theory behind deception technology is simple: it mines a network with tripwire decoys disguised as data assets that alert an organization when they have been accessed. Deception technology lures criminals away from actual valuable data, while exposing their presence—often, without their knowledge, allowing security professionals to engage in forensic analysis in real time by closely monitor their patterns, activities, and techniques to discover breached devices an exploited vulnerabilities.

Deception techniques are not only effective in protecting against outside attacks. They are also powerful tools for discovering internal threats. If rogue employees start poking around a network for information they are not authorized to access, deception technology is one of the most effective ways to catch them. Next-generation deception differs from detection-based honeypots because it also includes tools such as threat analytics, as well as integration with security controls, to proactively block attacks before any real damage can be inflicted.

As with the deployment of any new technology, the success of adopting a new deception solution is predicated on three things: first, its ease of use, second, its effectiveness, and third, due to today’s InfoSec workforce gap, its ability to implement automation.

In a world where the odds are heavily tipped in favor of your cyber adversaries, you can level the playing field by automating the creation of dynamic decoys that are dispersed throughout the IT environment. Because attackers are unable to determine which assets are fake and which are real, their time advantage is reduced or eliminated altogether. When an adversary can’t make this distinction, cybercriminals are forced to waste time on fake assets while inadvertently tipping off a security administrator of their presence.