Deception as a disruptive action
By Sudarshan Pisupati, Principal Security Research Engineer at Zscaler
The technique of deception engineering is used by security researchers to deliberately deceive attackers. The term is a pun by analogy with detection engineering, in which the defenders of network infrastructures use their knowledge and control over their own IT environment to their advantage. In addition to writing guidelines for detecting a specific type of attack or threat technique, security researchers focus on laying out traps and diversionary maneuvers against cyber attackers. To this end, all professionals must know and master the tactics, techniques and programs of hackers in order to disrupt them by deception in their attack.
The security researchers of Zscaler Inc. ThreatLabZ teams define the term as follows: Deception engineering is the process of building, testing and implementing deception-based security measures within the company to disrupt the opponent’s actions and playbooks. This allows IT teams to expand their security incident detection portfolio by forcing attackers to behave in a certain way. The advantage of this approach to deception lies in its simplicity. For example, IT employees lay out baits in their IT environment and control the connections to these honey pots. By this deception maneuver of the attackers, they want to distract from other unwanted access to the network.
The deception engineering process is based on the following steps:
- Creating a critical use case for the company
- Predicting the steps of a possible attack path by knowing the techniques and tactics of the attackers
- Analysis of the possibilities of deception in the attack path and laying out the bait
- Gaining analysis data by observing attempts to attack the bait
- Draw conclusions for the general IT security strategy of the company from the data obtained.
- Implementation of deception engineering capabilities as a counterstrike, without disrupting daily operations.
Deceptive maneuvers for GPP attacks of the Conti ransomware group
A concrete application scenario for deception engineering is the deception of hackers who target an attack on the Group Policy Preferences Saved Password (GPP). The GPP saved passwords problem has been around for almost a decade. The feature allows Active Directory administrators to manage local administrator passwords through Group policy. The XML file for the policy configuration with the details of the policy also stores the password for the local administrator account encrypted in the file. As a result, any domain user with a provided decryption code could search for the file, decrypt the password and gain administrator access to all computers to which this policy applies, regardless of their permissions. IT experts now know that the Conti ransomware group in particular used this GPP password extraction as an important part of their technology arsenal, as can be seen from their playbook. If an attacker comes across the bait in search of this target, the IT team becomes aware of the presence of the attacker in the system and can take defensive measures.
Deception engineering gives defenders the opportunity to control the activities and paths of attackers in their network to a certain extent – in a simple and clever way. Consequently, false alarms are given less frequently and critical areas of the network can be better protected because they can be distracted. In addition, the deceptions act as a counterstrike, because if the attacker falls on a honey pot, he is immediately recognized as such and can be rendered harmless.