How to catch cyberattackers with traditional military deception

Harry Lye 27 January 2020 (Last Updated January 15th, 2020 16:25)

Tony Cole, CTO of Attivo Networks, NASA Advisory Council member and (ISC) ² board member, tells Harry Lye how traditional military deception techniques can be adapted for the digital domain to combat cybersecurity threats.

How to catch cyberattackers with traditional military deception
Tony Cole

Harry Lye: Can you tell us a bit about your background?

Tony Cole: I’m the chief technology officer at Attivo Networks. I’ve been at the company for almost two years. My background, very quickly: I’ve been in cybersecurity since the 1980s. I started in cryptography in the military and built the networks for many years and then moved to cybersecurity as we started connecting networks together as one of the earliest guys in the field.

I also work for the NASA Advisory Council, so for the NASA Administrator advising on cybersecurity for everything NASA does. I’m also on the board of directors for (ISC)², which is a non-profit with 150,000 members for the Certified Information Systems Security Professional (CISSP) certification.

Was there anything about your military experience that you found particularly useful going into cybersecurity?

I got a couple of really choice assignments where I was trained to a very deep technical level in several different areas around networking and building systems and all that entails.

Many soldiers get trained in a very narrow view, and they don’t have the operational experience from multiple perspectives, whereas I worked on satellite systems, cryptosystems, mainframes, networks and more, because I was building systems to link in the satellite systems, timing systems, and so on. I was very lucky.

Can you explain military deception in the cyber context?

We know deception works extremely well in the physical realm. Go back to World War II where the Brits and Americans partnered in a Ghost Army operation that helped us be successful at D-Day. That operation deployed deception to confuse the Germans on where operations were taking place by having inflatable tanks and trucks, and associated troops that would accidentally ‘leak’ information.

Today, you talk to most of the allied nations, they all agree that cyber is a warfighting domain, just like any other domain – air, land, sea, and space – and they must dominate in it. If you think about production assets that are running in any enterprise or military organisation, what we do is we put breadcrumbs and lures on the production assets. We take unused IP space, and then take the real operating systems that are running inside that enterprise and we put those operating systems in unused IP space as decoys.

Imagine John comes into work one day, opens his computer and he’s got an email from a Wing Commander that looks super important. So it looks real, he clicks, opens the attachment. Unbeknownst to him, that attachment is weaponised. It infects his system, that infected file goes out to a command and control server and brings down additional malware and now there’s a tunnel open out there and it has bypassed all of the existing preventative technologies; that’s extremely common today.

The first thing that the adversary does is he pops up on that box and looks around: ‘What’s the name of the system? Where am I on the network? Which link was clicked? Which attachment was opened?’ The first thing that attacker is going to do is quite often use a tool like Mimikatz [a post exploit tool] and they scrape memory.

If you scrape memory, the first thing they’re going to find in there is a deceptive active directory credential that we placed there. That credential will lead them to IP space that wasn’t used, that we put decoys on, and now they’re trapped and they don’t even know it. That’s a very high-level simple piece of it.

Does deception and entrapment work better than trying to stop people from getting into the network in the first place?

Every year, the US federal government releases their Federal Information Security Management Act (FISMA) report, and it details grades for every one of the different federal agencies. In the last report they said there were no breaches with significant impact on national security; I always remind people, that’s attacks that they know about. I found it fascinating that in that same report 27% of the time, they did not know where the attack originated from.

That’s a scary statistic. That’s where we come in. Somebody is going to get in, but we’ll immediately identify it and then before they could move laterally across an environment, we’ve notified the security operations team and they’ve shut them down. So you will know the point of origin of an attack and collect all the tactics as well if you wish to study them, versus just kick them out.

Do you think deception is the new direction of travel in cybersecurity?

One of the most important independent quotes this year regarding deception is from Gartner’s Gorka Sadowski, who said they “don’t know a solution with a better signal to noise ratio”. Because today, all of those security analysts in every systems integrator and government are overloaded with alerts.

This is a really important point on deception. Any touch of a deceptive asset is an anomaly in and of itself. So it means new high fidelity alerts, instead of looking through that massive stack of supposed needles that is false positive alerts, because the deceptive asset that gets touched is critically important. No one should touch them. That means all hands on deck when those alerts come in. So it gives them that home-field advantage again.

What’s the success rate like, comparing deception to other cybersecurity techniques?

Think of it this way. You’re rushing home because your alarm is going off at your house and you get home, the front door has been kicked open and the police are there. But the alarm went off and the burglar ran off. The alarm did exactly what you put it in for and nothing was harmed in the house. Everything’s still there and you just have to replace your doorframe. Deception works pretty much the same way.

Enterprise management associates did a study of deception users earlier this year and based on that survey they saw a 91% reduction in dwell times. So there was a 91% drop in the timeframe from when a breach first took place until that breach was discovered. That time frame has typically been about 75 days right now. So that’s huge.

Reducing that timeframe is very critical to any organisation. That’s something that we’re trying to get more and more organisations to understand. I get on my soapbox and I want to talk about it at a lot of conferences. Breaches are going to happen; make sure your management team understands that a win is identifying the breach as soon as it happens and stopping the adversary from being successful in stealing whatever they were targeting.

Does the deception approach help with cost and efficiency in deploying cybersecurity solutions?

It helps them in many areas over some time to identify what’s working and what isn’t working. You heard my earlier reference to that US FISMA report where they couldn’t identify the point of origin for a breach 27% of the time.

With deception, it gives an Attivo customer the ability to identify what isn’t working in their preventative stack, and after some time, some technologies they are not renewing and other technology that isn’t as effective is being upgraded with more modern stuff. Deception is having a major impact and its use is growing dramatically.