Deception and the art of cyber security
“Warfare is the way of deception,” said Sun Tzu, the ancient Chinese military strategist.
Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users' credentials. Even the famed hacker, Kevin Mitnick, wrote a book called “The Art of Deception.” If deception can be used to attack, can it also be used in cyber defense?
Today, it's not clear how thoroughly cyber security professionals embrace this well-established military tactic beyond lip service that deception is a good idea. Traditionally, security professionals have been mired in a mindset of fortifying perimeter defenses, creating impervious walls, relying on defensive signatures and valiantly, or vainly, attempting to passively keep attackers from stealing data.
Websites are currently taking a beating from hackers. It's impossible to miss reports in the mainstream media of recent attacks on websites like Zappos, Sony PlayStation Network and the CIA by all classifications of hackers, including hacktivists such as Anonymous, organized crime groups, state-sponsored espionage, and low-skilled script kiddies.
The web application is among the most porous and frequently attacked surfaces in any organization, and there are five reasons why the web layer is so popular with hackers.
- First, the sheer number of websites and the ability to automate and scale up attacks puts the economics of hacking firmly in the perpetrator's favor. Today, millions of sites can be scanned for vulnerabilities very quickly and easily, and attacks are distributed and scaled up using botnets.
- Second, all the code, including any vulnerability, is public on the website. This alone offers the quickest and easiest potential pathway to get information out of a company or infiltrate the network.
- Third, the web layer is largely undefended within many organizations, eliminating the hacker's fear of being detected and caught.
- Fourth, the skill level required to exploit known web vulnerabilities is less because of the numerous public scripts available to download and execute known attacks. Subsequently, there are a large number of unsophisticated script kiddies hitting sites with impunity.
- And finally, the web application is static, so is easy to profile for weaknesses.
The goal of deploying deception to detect hackers is to change the underlying economics of hacking, making it more difficult, time consuming and cost prohibitive for infiltrators to attack a web application. Realistically, there will always be attackers seeking to gain advantage, and the reality is that the hacking problem cannot be solved, but it can be proactively managed.
So what does web intrusion deception look like? By putting a deceptive layer of code all over the web application, invisible to normal users, one creates a variable attack surface that makes the attacker detect themselves through their behavior. Once a hacker touches one of the deceptive "tar traps," they identify themselves and are immediately prevented from attacking the site.
The effect of inserting deceptive tar traps into the web application code means a change in the hacking game. Primarily, there is increased risk to the attacker of being detected and caught. Furthermore, a variable land-mined web application also requires increased skill to attack because the site does not respond in normal and expected ways. If the hacker has to worry where they attack, they also have to be more selective in choosing sites to compromise. In addition, adding the deceptive tar traps increases the size of the site, which then increases the time it takes a hacker to profile and find vulnerabilities.
But the ultimate deception is misinformation. Imagine supplying the hacker with fake successes, responses, files and assets to exploit. This wastes the attackers' time and makes them feel like they have successfully hacked, unknowing that they are instead compromising a virtual world.
If they don't know what they are seeing, and cannot rely on what they learn, how can they craft an attack?
Intrusion deception is a new approach to cyber security built on classic philosophies from the “Art of War.” Sun Tzu said, “Appear weak when you are strong, and strong when you are weak.” Your website can appear weaker, but actually be stronger. How's that for changing the game on the hacker?
Edward Roberts is the director of marketing at Mykonos Software, which was recently acquired by Juniper Networks.