From the inside of the deception


Penetration testing of today’s threat deception techniques is not for the faint-hearted. Do modern deception tools really frustrate opponents, and are they ready for corporate SOC?

(Picture from Oleg via Adobe Stock)

“I give up.” These are the words you would like any attacker trying to hack your system to say. “I never want to go through this again.” Even better.

Alissa Knight, a penetration tester and creator of secure content, found herself saying these words recently in a confrontation with the threat detection vendor Unreal’s deception technology. (There are also features: “F*** you, how could this not work?” “This is a sh ** show.” and “This is too bad.”)

The company encourages penetration testers and red teams to attack them; so far, the illusion deception technology has resisted more than 130 red team catapults and arrows, including Knight, who was commissioned by illusion and recorded the test. (She will follow up later this month.)

“I walked into this very arrogant place,” Knight said in an interview with Dark Reading. “You know,’The only reason they haven’t lost the red team is because that’s not me.’…I was thinking,’Oh, this is just the lipstick on the pig. It’s just, you know, venture capital Honeypot. Right? But I was wrong.”

Detection and interrupt
Today’s deception techniques are more than just cosmetic honeypots. Companies such as Attivo Networks, Smokescreen, Acalvio, TrapX, and illusive use dynamic rather than passive deception strategies. Instead of simply setting traps and hoping that the attacker will fall into it, they detect threats and respond proactively.

In the case of illusive, when the tool detects some suspicious activity, such as trying to move laterally, the deception engine will start, allowing the attacker to enter a fictitious world.

Annoy the attacker. a lot of.
“It’s like The Matrix,” Knight said. “You start to wonder what is true and what is not.”

The evidence she harvested? Fake. The domain administrator? A useless domain administrator. The network she has been going around for a few hours is completely synthetic, with false synthetic breadcrumbs scattered around. One bait after another, leading to nowhere to go.

“I can’t trust my own decisions. I can’t trust my own tools,” Knight said. Even knowing that she is fighting against threats and deception tools will not help. She said she felt it was “following” her.

“In my 20-year career, I have completed more than 100 penetration tests, and I have always been able to pass. In this case, I found nothing, which is the most frustrating thing.”

For imaginary people, of course, this is a more relaxing and enjoyable experience.

“I like it,” said Ofer Israel, founder and CEO of Unreal. “It’s always fun. We are happy to do it. This proves its worth.”

Israel further pointed out that this illusory technology automatically generates deceptions that are unique to each environment and each machine. He said this makes it more difficult for attackers to break through security technologies.

“If the attacker becomes illusory, put it in his laboratory, [and] ready [an attack]”His deception applies to his laboratory,” Israel said. “When he attacks the real environment the next day, those deceptions will look completely different. “

Generate fewer false positives
Although it is interesting to deceive attackers, Israel says that detecting threats is an important goal.

“What we really need to do for our customers is to provide better threat detection. Right? It doesn’t matter that we do it through deception or we can do it through magic,” he said. “So our discussion is really… you know that the attacker does have access to the network. Can you sleep quietly at night? Once they enter, can you see their activity? The usual answer is,’No. We Can’t be’uncertain,'” and many tools can cause false positives, further complicating the problem.

Knight pointed out that there are almost no false positives for deception solutions.

“Tell me when someone will Legally Use synthetic credentials or interact with synthetic hosts,” she said. “I can’t imagine getting an alert from this technology without getting up.”

grown up?
Deceptive products are still not suitable for every company. Israel admits that illusive is not aimed at small businesses, but at organizations with 500 employees or more.

However, this technology is not just an engineer’s toy. It is becoming a more effective tool for enterprise security operations centers. Integration with other major SOC products such as EDR and SIEM, SOAR and UEBA has become common. The deception company cooperates with MSSP, system integrators and cloud providers to provide deception services for the cloud environment.

As Knight said, an attacker can use many different methods to destroy the target, but they all have one thing in common.

“The same thing is happening to all opponents,” she said. “This is one thing that will never change.”

She said that deception makes the transition in the environment more challenging.

“I have never seen anything like this,” she said, “it will disrupt the opponent’s decision-making.”

Sara Peters is the senior editor of Dark Reading and the former editor-in-chief of Enterprise Efficiency.Prior to this, she was a senior editor at the Computer Security Institute, writing and talking about virtualization, identity management, cyber security law, and countless…View full resume

Recommended reading:

More insights

Related Articles

Back to top button