National Cyber Deception Day
Author: Tony Cole, Attivo Networks CTO – April 1st is National Cyber Deception Day. No, this is not a setup for an April Fool’s Day joke, just the perfect time for a day already focused on deception. MITRE’s Engage team submitted an application to create a National Cyber Deception Day and targeted April 1st for that date. It was approved and a very timely idea for an initiative long in place for the physical world however lacking in the cyber realm until the last couple of decades. Until recently, it was mostly used in cyberattacks and not by defenders.
Wikipedia defines deception as ‘Deception or falsehood is an act or statement that misleads, hides the truth, or promotes a belief, concept, or idea that is not true. It is often done for personal gain or advantage. Deception can involve dissimulation, propaganda and sleight of hand as well as distraction, camouflage or concealment.’ This is important because there is little difference in defining deception whether it’s in the physical realm or the cyber realm. It can be equally effective in both.
When we look at cyberattacks over the years, we can see from almost any major vendors’ yearly cyber report that attackers use deception against the individuals and the enterprises they are attacking. Whether it’s a phishing email, a social engineering effort via a phone call or attempted physical entry to a location, or a malicious watering hole attack via a compromised webserver, what you see is likely to not be what you get. You have been deceived by someone that wants something from your enterprise.
So what are we to do? Celebrate National Cyber Deception Day.
If you’re familiar with MITRE ATT&CK then you know that it’s a program designed to give you real world knowledge of observables on attacker tactics and techniques. MITRE has also built a program called Engage, and it’s all about adversary engagement inside your enterprise. Think about ATT&CK and Engage like the Yin and Yang of cyber defense. ATT&CK helps you understand what the adversary is trying to do in your enterprise while Engage helps you understand how to build a defensive infrastructure to counter that adversary. The two programs can help defenders by working hand-in-hand to understand the attacker and what to do about that attack.
Putting cyberdeception in place allows you to feed an adversary information they can’t trust, whether its deceptive data on an endpoint, that leads them to deceptive shares all while hiding the real ones, or feeding deceptive information back to them when they query Active Directory while hiding the real data. The number of things you can do with current tools is rather extensive. The idea is all about engaging that attacker inside your enterprise and making them wonder what information is real and what isn’t real. The great thing is that the defenders do know what’s real though since it’s their infrastructure, and putting this system in place allows for high-fidelity alerts and monitoring of attacker activity throughout the kill-chain. So although the attackers may have gotten inside the environment, adversary engagement allows for quick detection by the defenders. This puts defense in a much better place to control the outcome and mitigate the attack.
If you’re a follower of NIST and user their public cybersecurity framework then you’re likely aware that cyber deception has been in place for quite some time in a number of related controls that support the framework.
The SANS Institute is also gotten on board and has a new deception course out in beta, SANS SEC550: Cyber Deception – Attack Detection, Disruption and Active Defense.
There are many others now talking about the value that deception brings to an enterprise, the point is that deception can really help you mitigate attacks more quickly and thereby minimize the damage to your company. Check it out.
Here at Attivo Networks, we’re happy to help you put together the plan you need to successfully celebrate Nation Cyber Deception Day every day of the year.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise