Dr. Georgianna Shea
The Transformative Cyber Innovation Lab (TCIL) at the Foundation for Defense of Democracies held a live exercise to demonstrate the usefulness of incorporating deceptive techniques alongside other cyber defense practices. The exercise demonstrated that a decoy account could assist cyber defenders by rapidly notifying them of unauthorized activity on their network. Normally, network defenders receive suspicious-activity alerts and initiate a time-consuming investigation to find the cause of the alert and determine whether it was a false positive or a true indication of unauthorized activity. Since a decoy account has no authorized user, defenders know immediately that any observed activity on the account is the work of hostile parties. By contrast, if the account had an authorized user, the defender would have to determine whether the alert was triggered by that user’s actions or by an unauthorized user who compromised the account. This in-depth investigation can be a very time-consuming process, and its conclusions may still be uncertain or false. A decoy eliminates the need for such an investigation.
Cyber defenders strive to make their organization a challenging target for attackers by implementing strong access-control practices and training staff to be wary of things such as phishing emails. However, no amount of defense can stop a determined, well-resourced adversary from finding a way in. Instead of exclusively focusing on how attackers penetrate their targets and implementing perimeter protections that will inevitably fail, network defenders should assume a breach will occur and prepare for it. One of the most common types of breaches entails using stolen credentials for a valid account to access the network. A critical advantage of a decoy account is that it removes the need to distinguish between legitimate and illicit uses of an existing account, since any observed use must be the result of an intrusion.
Consider an example in which defenders receive an alert of unusual activity on an account held by Smith, a hypothetical authorized user. The alert may be one of dozens the defenders receive on a given day. First, they have to decide whether they should investigate at all. If they proceed, they will have to determine whether the unusual activity indicates a breach. Meanwhile, the defenders also receive an alert of activity on an account held by Jones – except there is no Jones. The account is a decoy. The observation of any activity at all on that account indicates a breach. The defenders can initiate their response immediately.
Over the course of one week in June, TCIL partnered with the information technology and security vendors of a small nonprofit and the organization’s head of security to confirm the utility of using decoys as part of network defense. The test focused on that particular type of deceptive technique because it made sense based on how the organization understands its threat landscape. Still, different practices may be more applicable to other enterprises. TCIL’s conclusions about the utility of deception methods stand whether an organization chooses to deploy decoy accounts, decoy files, or an entire decoy network.
On average, it takes cyber defenders 150 days to detect an adversary in their network. By this time, an advanced adversary may have already established persistent access, exfiltrated files, or launched a disruptive ransomware attack. If the defenders lack adequate detection capabilities, advanced adversaries can live within compromised networks for months, if not years.
A principal cause of this challenge is that defensive cybersecurity tools detect large amounts of data from various sensors and generate hundreds or even thousands of events for analysts to triage as security incidents or false positives. Regardless of the automated cyber defense tools used, human operators are ultimately responsible for identifying and responding to an event. If the operator does not act, mistakenly classifies an event as a false positive, or does not see the incident because of the sheer volume of detected events, the intrusion will go undetected, and the malicious activity will continue.
In January 2021, FireEye found that 35 percent of network security operators ignore cyber alerts once they become overwhelmed by the volume of alerts generated. The study also found that 45 percent of all cyber alerts end up being false positives. This means that security analysts are not consistently understanding or responding to actual threats. However, the problem will not be solved by reconfiguring defense tools so that they generate fewer alerts. Adversaries have access to the same defense tools. They know what level of activity will trigger an alert, so they ensure their activity stays below that threshold.
Once defensive tools detect a predefined pattern of activity, a notification is sent to the network defender’s console for review. The defender has to determine the validity and priority of the alert. Ultimately, the decision regarding how to respond depends on the operator’s level of experience, knowledge of the system’s mission effects if compromised, understanding of the devices used to detect attackers, knowledge of what sorts of activity are normal, and situational awareness of operations that may be affecting the generation of false positives.
However, there is a way to shorten the detection time of a compromise and to ensure network defenders immediately recognize unauthorized activity as an actual breach. Militaries have used deception in warfare for thousands of years. By incorporating deception methods into cyber defense, security operators can clearly identify unauthorized activity within their perimeter.
The MITRE knowledge base for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) outlines all of the known tactics and techniques adversaries use when conducting cyber operations. MITRE has observed and documented hackers routinely using the credentials of real accounts within a network to gain initial access, establish persistence, escalate privileges, enter and control remote systems (known as lateral movement), and evade detection. Valid-account use is the most effective technique hackers employ.
An effective defensive cyber operations team fuses its knowledge of the system under protection with a defensive strategy. Since it is impossible to prevent every attempted breach, the defense team should anticipate such an intrusion and have detection methods, such as decoy accounts, to help identify many MITRE ATT&CK tactics. In this environment, a little deception goes a long way.
Honey-Infused Defensive Operations
TCIL conducted a live exercise to demonstrate the utility of decoy accounts in quickly identifying high-priority threats within a network. TCIL worked with a small nonprofit organization with an outsourced security operations center to create and monitor a fake user account (also known as a honey account, canary account, or decoy account, depending on the specific attributes of the fake). When approached by TCIL, the organization agreed to participate because its industry peers have suffered significant breaches by foreign cyber operatives.
First, the defense team configured the detection tools to issue an alert if they detected any activity involving the phony account. Then, before the exercise began, the defense team conducted a series of tests to ensure identification and notification of activity on the fake account were configured and working correctly. The tests lasted two days. The results showed an error that prevented notification of some members of the defense team. The error highlighted the importance of carrying out tests after implementing any new tool or making configuration changes to existing tools. Otherwise, the operators may erroneously believe the tools are working, even though they are not.
“It did take initial time to plan and configure, but once it was working, we integrated it directly into our typical security operations process… We highly recommend deception techniques.”
– Co-Founder, Security Operations Company
Following the pre-exercise tests, for one week, the tester – playing the role of a malicious actor – attempted to gain access to the fake account to simulate an attacker trying to use the valid-account technique from the MITRE ATT&CK matrix. Since the exercise was a proof of concept, there was no need to access the account. Simply attempting to access it triggered the same high-priority alert to the defense team, while minimizing operational risk. Even though this was a controlled exercise, unauthorized access to any account presents a risk.
The tester randomly attempted to access the account 24 hours a day for a week without the knowledge of the cyber defenders. Once the sensors detected the access attempt, the defense team received an alert. If this had not been a test, the defense team would then have reported the incident to internal and external stakeholders according to the team’s response plan. However, since this was an exercise, the defense team simply acknowledged that they would initiate the incident response plan, without actually doing so. By detecting activity related to decoy accounts, the cyber defenders could quickly confirm unauthorized activity was taking place and initiate response actions without mistakenly dismissing the activity as normal.
“The pilot brought to light some key areas we needed to delve into a bit more and reminded us to look into some areas we normally take for granted. A great exercise and one we all learned from… We plan on implementing several canary accounts and files to add to our defenses.”
– Vice President of Security, NonProfit
Once the live exercise was complete, the defense team stated that it highly recommends using deception practices, and that it plans to expand the use of deception for the participating client and other clients. While the security operations company was aware of the principle of using decoys, the company had not previously deployed them. The defense team had considered deception to be an advanced capability used only by large organizations with sophisticated defensive systems.
“We will continue to use the deception method for additional alerting in our security operations process for [this nonprofit] and other clients. We will focus mostly on executive and high-profile accounts at first and adjust from there if we identify suspicious activity.”
– Co-Founder, Security Operations Company
Using the decoy account allowed the cyber defenders to identify the event as a priority incident without relying on more subjective analysis, which sometimes leads defenders to dismiss an event as a false positive. The decoy account also enabled identification without relying on the signatures programmed into detection tools triggered by known patterns of malicious activity. This is especially useful when adversaries find new techniques that may not have a corresponding signature in defensive detection tools.
Simply purchasing and deploying defensive tools has never been enough to counter advanced threats. After all, adversaries also have access to the same off-the-shelf tools and can craft attacks to circumvent detection or to blend in with normal traffic. Just as advanced adversaries develop attack strategies tailored to their targets, a sophisticated defense requires a strategy tailored to the organization and the systems it protects.
Dr. Georgianna Shea is the chief technologist of TCIL and the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from Georgianna, TCIL, and CCTI, please subscribe HERE. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.