Using Deception to Detect Advanced Cyber Attacks

The use of deception in warfare is well established in dealing with difficult adversaries. The method is particularly useful in asymmetric situations where the defense is at a clear disadvantage. Many military organizations with limited resources, for example, have resorted to using decoy tanks and fake troop activity in an attempt to compensate for an unbalanced playing field. Cyber security, it turns out, is the ultimate asymmetric situation where an enterprise has limited means to stop attacks that can come from adversaries as varied as Internet-based hackers to well-funded nation-state military groups. Deceptive cyber security defensive techniques are thus extremely effective in producing uncertainty in an adversary, while also increasing the chances of real-time detection. As part of the planning for my 2017 TAG Cyber Security Annual (you can download the three PDF volumes at, I had the opportunity to spend time with my friend Tushar Kothari, CEO of Attivo Networks to ask him about deception in modern enterprise computing.

EA: First of all, do you believe that the most advanced attacks can be detected in real-time by an enterprise defense? Or have we entered a new phase where advanced breaches are inevitable and where we must focus instead on response?

TK: It is true that many current enterprise defenses have proven to be unreliable and have been successfully breached by sophisticated attackers. We see the effects of this every day with high profile breaches into companies that clearly have real-time defenses in place. Furthermore, the predictability of current defenses, and the lack of a true security perimeter, help the attackers and reduce the effectiveness of a prevention only defense. This should be no surprise to students of warfare, who know that war is based on deception, and typically won using the element of surprise. Deception turns the table on the attackers and makes the deceivers become deceived. We believe at Attivo Networks that it is the use of deception that will help make advanced attack detection more achievable.

EA: What have been the challenges of intrusion detection over the years? Is the adversary just that good?

TK: Part of the challenge is that as the years progress, the network morphs. Just after each organization finishes building a perimeter around their network, for example, business requirements lead to the punching of holes in this perimeter to enable services such as remote VPN and cloud services. The perimeter soon begins to look like Swiss cheese with holes all around. And as if open back doors are not enough, social engineering with phishing and complex mobile device management help leave the front doors open for getting infected, regardless of the strength of the perimeter. With hundreds of reported breaches each year, clearly our networks have become more vulnerable, and a traditional line of defense is destined to fail. Now, you are also correct in suggesting that the adversaries have become better equipped and financed, often by nation state governments. Also, some of the successful attacks have yielded significant financial benefits for the attackers, which has in turn attracted more sophisticated adversaries. And security budgets have not kept pace, so organizations remain challenged to recruit and retain trained security staff to combat these highly sophisticated adversaries. These are tough challenges, but enterprise teams understand the problem, and there is every reason to believe that the situation will improve for the defense.

EA: What is the basis for using deception in cyber security to detect attacks? Is the idea to be stealthy enough that the adversary is tricked? Or are you really just dealing with automated botnets?

TK: The key focus of deception technology is to turn the table on the most sophisticated adversaries. The idea is to deploy authentic and realistic deception, which is indistinguishable from real assets and is deployed in a fashion that makes it irresistible bait to the attacker. The technique is extremely efficient and effective in catching the intruders, who can be deceived and misdirected into a maze of traps and deceptions within the network. Throughout mankind’s history, traps have been developed to catch pretty much anything of value. The same concept rings true for efficient cyber security threat detection. The Attivo ThreatMatrix Platform, for example, deceives the attacker into believing that he has succeeded in his attempt, engages with him and after tracking his lateral movement and behaviors, and extracts the valuable forensic information required to stop and derail the attack.

EA: What’s been the practical experience for companies using deception to detect cyber attacks?

TK: Our customers have experienced tremendous improvement in their ability to detect the attackers early in the kill chain during reconnaissance and lateral movement. Given resource limitations and staffing shortages, the Attivo ThreatMatrix platform is designed for high efficacy, high fidelity alerts, and automatic ingest of attack forensic information during engagement to accelerate incident response actions to automatically quarantine infected systems and update prevention systems to block attackers. Deception also employs techniques to deceive and misdirect an attacker since it is signature-less. The solution is well suited to detect zero day attacks from advanced threat actors. The Attivo ThreatMatrix platform provides an integrated sandboxing technology, which has allowed our customers to extract signatures and TTP (tactics, techniques, and procedures) out of most sophisticated attacks including polymorphic malware. Customers have also called Attivo the “eyes and ears of their network,” since we can provide early visibility into internal and external threat actors, and we can detect the use of “harder to detect” stolen credential and man-in-the middle attacks.

EA: Do cyber deception methods require the corresponding use of honey pot content to make things realistic?

TK: While honey pot technology is not required for initial detection, it is extremely valuable when you want to engage the adversary for a longer period to extract full TTP. Creating a high interaction honey net is a valuable component of a deception platform – though today’s deception technology goes much further than a legacy honeypot approach.

EA: Do you think the day will come when every CISO team uses deception along with other common techniques such as firewall and access control?

TK: An adaptive defense requires a mix of prevention and detection solutions. It is clear that prevention alone doesn’t work and that trying to find the needle in the haystack is too resource intensive with monitoring or Big Data approaches. With this in mind, given the efficacy and efficiency of deception, there is no question that deception will play an important role in the security stack. Deception is accurate where other solutions have proven they are not reliable, and it is easy to deploy, operate, and manage during incident response. Deception is also efficient and immune to resource intensive false positives. Plus, the automated attack correlation, forensic reporting, and attack automation inherent in deception, take cost out of continuous threat management and response. At Attivo, we often recommend that our customers actually have some funturning the tables on attackers. It can be rewarding to “deceive the deceivers” by delaying and misdirecting their attacks, which increases their cost of business immensely and gives an organization much needed time to react before damages can be done. Well-designed and implemented deception can lead to the situation where the hunters become the hunted.