The concept of active cyber deception within on-premises systems has gained prominence in recent years. Organizations...
have long used honeypots, which seek to lure attackers in with the promise of low-hanging fruit, enabling security teams to monitor all their activities.
More active defense strategies have emerged in the past few years that include decoy IP addresses on the network, tracking cookies, and other mechanisms to try and pinpoint an attacker's true origin. There are also web application deception techniques that modify a server or application's behavior when malicious probes or attacks are detected -- possibly slowing down an attacker or shifting the focus to an easier target.
Now, it seems that deception and active defense techniques are finding their way into cloud environments, as well. Fidelis Cybersecurity Inc. released a platform with active cyber deception as a main feature for cloud defense. The Fidelis Deception toolkit, which is part of its Elevate platform, enables security and cloud administrators to implement deception technology within cloud provider environments.
Active deception techniques
There are many common approaches and techniques for active cyber deception, and Fidelis Deception uses several of them.
- Honey tokens: Documents or other files that contain bogus sensitive data and that look interesting to attackers seeking sensitive information.
- Honey accounts: Fake user accounts that seemingly offer the attacker an opportunity to change or escalate privileges, to access other parts of the environment, or both.
- Lures or breadcrumbs: Services or other interesting areas to explore -- potentially including vulnerable operating systems or applications -- that attackers might seek to exploit or spend time investigating.
- Honeypots -- decoy systems: Entire OS instances that are built from scratch or replicated from existing computing assets that have no real purpose and can keep attackers occupied for an extended period of time.
Deploying active cyber deception technologies internally has traditionally proven challenging due to the high overhead involved in monitoring and maintaining the various deception controls, as well as the perceived risks from legal and management teams. More than anything, though, keeping up with a large enterprise environment with legacy platforms and a highly distributed network could prove challenging, and no one wants to set up and then lose track of any deliberate deception technologies.
In the cloud, this can be much easier to set up and maintain because there is only one homogeneous backplane to keep up with, as well as a plethora of programmatic and API-based query methods for monitoring. For example, all assets in AWS or Microsoft Azure are linked to a central inventory model that can more readily help security teams keep up with the assets in question. In addition, there are many new logging and event automation tools available that can be used in conjunction with deception toolkits to facilitate alerting.
The advent of deception technology is promising -- if anything interacts with a honey token, breadcrumb or honeypot, it's always suspicious, and teams can immediately prioritize investigations with fewer false positives.
Deployment of this technology could easily cut down on common cloud attack vectors, such as hijacked accounts, poor configuration of cloud assets and access controls, and so on. As all the assets in the cloud are virtual -- or software-based -- generation and operation of these assets is fast and painless.
However, there is one downside that you must factor in, and that is the increased costs incurred solely due to running more assets in the first place. Organizations should carefully look at the costs versus benefits before deploying these technologies, as there will still be a fair amount of operational overhead that accompanies deception tools in production environments.
Having respected security technology providers supporting these tools will likely streamline and improve the installation, operation and reporting that goes along with any use of active cyber deception tools, so it will be an interesting space to keep an eye on.