By Mark Stone, Contributor
In France’s May 2017 election, Emmanuel Macron’s campaign knew it was under cyber attack from Russian threat actors when the team began receiving a slew of phishing emails. Soon after, Macron’s team embarked on a “cyber-blurring” strategy, a tactic whereby false accounts and content are created as traps. The hackers took the bait and wasted a lot of their time and resources.
The presumed cybercrime group, Pawn Storm (also known as APT28), is one of the most seasoned digital espionage groups known for attacks on Western leaders, organizations, and media outlets. While the French government’s cybersecurity agency has so far been unable to officially attribute responsibility (thus no punitive measures have been undertaken), the fake-out, or deception strategy, Macron’s team implemented was nonetheless effective in mitigating the acting hacker’s damage.
Setting traps for your enemy in the cybersecurity world is not a novel strategy, as concepts like honeypots have been around for decades. Most fake outs are essentially variations of the honeypot, which can take form of a decoy computer system or file to draw hackers away from the true, valuable information. The bounty would be widely visible on the internet and appear as an enticing sweet treat for would-be hackers. For most honeypots, data is segmented from the rest of your network (and thereby secure) and monitored for intruder information.
As the threat landscape multiplies, these types of deceptive strategies may gain momentum. Both governments and businesses can benefit having a better understanding of deception techniques and, in some cases, engaging in retaliatory hacking. Here’s how it works—and what to consider.
Proceed With Caution
The purpose of deploying deception techniques is twofold: thwarting attackers and gathering intelligence.
“The idea is to misdirect hackers, so they don’t get at your intellectual property or data,” said Jerry Irvine, industry expert and CIO of Prescient Solutions. But Irvine, who, in 2008, was added to the National Cyber Security Task Force (a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce), warns that the average small-to-midsize business may not wish to poke the bear.
“[If] they don’t have the technical expertise to set up a honeypot,” he said, “they may leave themselves vulnerable.” For instance, if a company mistakenly has the server containing the fake data connected to the live network, it might unintentionally create a point of entry for a hacker to access valuable information.
Ben Smith, Field Chief Technology Officer for RSA, agrees, using the analogy of a dog who chases a car and one day is suddenly surprised to catch it. “Perhaps the most important question anyone considering deception techniques is, ‘What is it we plan to do when we catch a bad actor within our environment?'” he said.
His advice is to ask this question before making the investment of time and money in these types of approaches – not afterwards, when companies “may discover there are material liability, legal, ethical and other issues relating to how you choose to act on what you have discovered.”
Another potential benefit of implementing a deception approach as part of your security toolkit, Smith added, is strengthening security by reverse engineering how a threat actor who triggered the honeypot entered the environment, and use that intel to tighten up the incoming threat vector so that it cannot be used again.
Irvine adds, “After the fact, the benefit is learning the hackers’ techniques—what they’re doing, how they’re doing it, and what types of packets and payloads were used. In doing so, you can then tighten up your own security to mitigate those types of attacks so you know what they’re doing and that it doesn’t happen again.”
“Perhaps the most important question anyone considering deception techniques is, ‘What is it we plan to do when we catch a bad actor within our environment?'”
— Ben Smith, Field Chief Technology Officer, RSA
Hacking Back: Fair Political Ground?
Retaliatory hacking – or hacking back – is an emerging topic, in fact, in October 2017, the U.S. House of Representatives introduced the Active Cyber Defense Certainty (ACDC) Act—dubbed the “hack back” bill.
In amending the Computer Fraud and Abuse Act anti-hacking law, the bill would allow companies to take over the computer or network of the attacker, identify the fraudulent agents, and destroy any stolen information. The bill is a movement on behalf of the U.S. federal government to recognize the very real cybersecurity threat posed to today’s business leaders.
But Smith warns that hacking back, or making decisions and carrying out actions based on murky attribution is risky. “These are areas where organizations seeking an easy button are most at risk to introduce collateral damage to their own business and brand.”
When the Fake-Out Isn’t for You
Although deception-based approaches and technologies are a popular topic right now, Smith advises they should be considered only by organizations who are already in a positive, mature state.
“Much more important is consistently demonstrating basic security hygiene, staffing out the security operation center, and developing the risk management function holistically across the business,” he said. “At a minimum, if you don’t know where your crown jewels are, and how each jewel relates to your business, that is where you must start.”
For most small- to medium-sized businesses, using a managed services platform like Security as a Service (SECaaS) puts the burden of providing security on a third party. This option works to redirect all traffic from internal servers to mitigate risks.
Irvine also encourages companies to leverage the support of their industry’s Information Sharing and Analysis Centers (ISACs), which, according to the National Council of ISACs, “helps critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards.”
“Whether it’s financial services, IT, transportation, or another large industry,” Irvine described, “ISACs performs a similar function in that it shares info as real-time as possible about attacks happening [in the moment].” While the FBI and NSA are monitoring more critical infrastructure on today’s cyber attacks and providing info on how to proactively protect your resources, most of this information, Irvine said, is also available through your industry’s ISACs.
“At a minimum, if you don’t know where your crown jewels are, and how each jewel relates to your business, that is where you must start.”
— Ben Smith
Keeping it Real
Regardless of whether deception strategies are part of your security toolkit, one key element in preventing attacks is educating employees about cyber security best practices, as they represent the first line of security defense. In the case of the French election, Macron’s team succeeded because they were well-versed in recognizing the phishing scheme. But most companies can’t say the same for their employees.
According to Dell Data Security research conducted last year, “more than one in three employees (36 percent) will frequently open emails from unknown senders at work, potentially opening the door for spear phishing attacks in which a cybercriminal seeks unauthorized access to sensitive information from a specific organization or individual by posing as a trusted source.”
Companies can even go so far as to turn the fake-out idea on its head by ethically testing employees with a fake phishing scam. (This simulated phishing attack training, for example, can reduce the number of employee clicks on malicious emails.)
Irvine also stressed the importance of communication with executives, employees, clients, and the public about if and when an attack took place. “The more communication that occurs, the less disruptive this will be on the economy, on individuals, on politics, and the trust we have in the security industry,” he said.