vARMOUR WHITE PAPER

How Deception Helps

Level the Cybersecurity
Playing Field

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com >
Security teams for organizations big and small struggle to keep pace with the ever-advancing
tactics, techniques, and procedures (TTPs) of cyber criminals, opportunist hackers, and nation states.
As a result, security practitioners are left at a severe disadvantage always being on the defensive -
reactive rather than proactive. Compounding the situation are defense-in-depth strategies that stack
defensive technologies to parry individual attacks and too often ignore the strategic importance of
misleading, confusing, stalling, and frustrating adversaries.

Background

When comparing the goals and capabilities of attackers and defenders, it is a sobering reality that
defenders need to be successful 100% of the time, whereas attackers only need to be successful
once. The current playing field is dramatically imbalanced in favor of attackers. With technology
developments transitioning to business realities - including BYOD, virtualization, insider threats,
cloud computing, IoT, and dependency on third party partners - the attack surfaces available to
cyber criminals have been vastly expanded. At the same time, defenders have been challenged to
try and adapt legacy security tools and approaches to protect these ever more complex and
loosely defined infrastructures. The obvious perimeters of the previous decade have all but
dissolved and the steady release of next-gen perimeter defenses has been unsuccessful at
reestablishing these fading boundaries.

From the perspective of an attacker, the ability to infiltrate a target organization remains an easily
achievable stage of an attack. Whether by exploiting a vulnerability in an externally facing web
server, finding inroads via already compromised contractors or partners, or, most often, simply using
phishing to compromise an employees laptop, the ability to gain an initial foothold in the target
environment is not tremendously difficult. The somewhat cliched statement of there are two types
of companies - those that have been breached and those that have yet to discover theyve been
breached exists for this reason. It is a difficult truth that the new mindset for defenders is to assume
theyve already been compromised because they probably have been.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 2
A Dramatic Imbalance Between Offense and Defense
Todays network defenders face a challenging situation: coming from the perspective that theyve
already been compromised, theyre constantly searching for the attackers assumed to already be
moving throughout the network and data center. Sadly, the point products designed to detect
attackers are often woefully ineffective and frequently generate so many alerts that security
teams couldnt possibly review them all. A common strategy for security teams is to continually
search as quickly as possible to try and identify the active attackers before they reach the
crown jewels of the organization and make for the door. So, most security teams start two steps
behind the attackers and have to try and catch up before its too late.

The truth about whether the playing field is currently level between attackers and defenders
can be found in the following statistics:

 The median amount of time attackers are able to operate undetected in a target
environment is 146 days.1
 The number of records compromised in breaches in 2015 was 153 million - a 128%
increase from 2014.2
 The percentage of breaches identified internally (as opposed to by third party or law
enforcement notification) has been steadily declining and currently sits at roughly 10%.3
 Security budgets are expected to rise 24% in 2016.4
 The average cost of a breach is $4 million - an increase of 29% since 2013.5

Just about every available statistic on cybersecurity points to the fact that attackers are having a
pretty easy time achieving their goals. Though the statistics are dramatic, in order to begin to
make progress against them it is important to understand the underlying advantages attackers
enjoy that drive the statistics. Attackers leverage a variety of imbalances between themselves
and defenders during an attack. From the luxury of time to having a better understanding of the
target environment than defenders, attackers currently seem to have the advantage in nearly
every area of engagement.

1 M-Trends 2016. Rep. Mandiant, Feb. 2016. Web.

2 "Privacy Rights Clearinghouse." Privacy Rights Clearinghouse. N.p., n.d. Web. 06 June 2016.
3 2016 Data Breach Investigations Report. Rep. Verizon, 2016. Web.
4 The Global State of Information Security Survey 2016. Rep. PwC, 2016. Web.
5 2016 Cost of Data Breach Study. Rep. Ponemon Institute, June 2016. Web.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 3
Breach Timelines

The fact that the median time-to-discovery for a compromise is 146 days (and the majority of those
are identified by third parties) illustrates the tremendous challenge facing security teams today.
There are two major reasons for the difficulty experienced by those tasked with identifying
adversaries in their environments:

1. Creating effective detection systems is extremely challenging. With malware leveraging

virtual machine detection for avoiding sandboxing and custom repacking of payloads
for avoiding AV and IDS/IPS to name just a few, attackers are able to easily evade the
perimeter detection technologies defenders use to protect their environments.

2. A lack of visibility into network traffic inside the environment prevents defenders from
even applying similar defenses to east-west communications (those communications
that do not cross the boundary for the network). Whether occurring on the same
subnet, VLAN, or hypervisor, the majority of network and data center communications
are not inspected or even logged. Attempts to address this challenge include
solutions that inspect a sample of all east-west traffic, only inspecting traffic based on a
subset of ports, and/or service-chaining detection technologies using SDN or visibility
fabrics. Unfortunately, none of these approaches are effective at covering the entirety
of network or data center traffic in a scalable manner.

The net result of these factors is that attackers are able to take their time navigating the target
environment while defenders are constantly racing to catch up with and identify the intruder.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 4
Environment Mapping
Once an attacker has infiltrated the perimeter of the target environment and has established
command & control communications, their first task is to begin mapping out the environment so
they can develop a strategy for progressing toward their objective. This mapping activity can
consist of several different techniques, including scanning the network, analysis of system logs on
the compromised machine, extracting previously used credentials on the compromised machine,
and reviewing any other data available to the attacker (e.g. engineering specifications or diagrams
of the network architecture). The attackers map of the target environment continues to expand as
they begin to move laterally throughout the network and data center toward their objective.

The unfortunate truth is that the attacker is able to rapidly build an understanding of the
environment that often exceeds the understanding of the defending security teams. The large
network and data center environments todays security teams are responsible for, combined with
the introduction of virtualization and cloud technologies, make for complex and time consuming
architectures. The lack of visibility into east-west traffic flows also contributes greatly to the
challenge of understanding exactly how networks and data centers are architected and operated.
As an attacker progresses toward their objective, they need only to map out the individual
pathways they will use to move through the environment and transmit the target data once
acquired. Defenders, on the other hand, need to understand the entirety of the network and data
center communications so that they can effectively guard against any and all uses of the
infrastructure by an attacker.

Hence that general is skillful in attack whose opponent does not know what to defend; and he is
skillful in defense whose opponent does not know what to attack."

- Sun Tsu

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 5
Master Keys
In an organizations network and data center, admin credentials are the master keys to the
environment - the tools that provide access to nearly everything. As such, admin credentials are
highly sought after and prized pieces of data for attackers attempting to spread through a target
environment. They allow an attacker to progress their attack more rapidly and more stealthily than if
they were forced to rely on average user credentials and system vulnerabilities for movement.

Attackers know precisely the types of credentials that will be useful or valuable to them, and
although defenders are likely to identify the same types of credentials desireable to attackers, they
are challenged to identify inappropriate or unexpected use of these accounts. These critical
credentials are inherently necessary to defenders organizations for continued operation and are
utilized regularly if not constantly. This makes it extremely difficult to determine whether a particular
admin access event was the result of an attack or a legitimate operational need.

Diversionary Tactics
Understanding the pressures facing security teams, attackers are increasingly using diversionary
tactics to help facilitate their objectives. Particularly when the next stage of the attack requires an
activity that is expected to be noticed by defenders, attackers will cause a separate disruption to
distract security and operations teams from where the real attack is happening. For example, if the
attacker needs to exfiltrate a trove of data several gigabytes in size, they may be concerned that
such a large spike in outgoing traffic will raise alarms. In order to occupy security and operations
teams, they may levy a distributed denial-of-service attack against the target organization or
perhaps infect a few workloads with ransomware. While the defenders are consumed with
addressing the apparent crisis, the attacker is able to quietly exfiltrate the target data unnoticed.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 6
Opposition Research
Prior to launching an attack against a target, attackers compile as much information as possible
about their target. Org ctharts, externally-facing web services, physical office locations, references
to infrastructure or security products used, and contracted third parties are but a few of the pieces
of information attackers will attempt to collect before even sending the first phishing email.

Defenders, on the other hand, are in a completely different position. Barraged by attackers of
various skill levels, different physical locations, and different objectives, determining exactly who is
attacking and why can be a complex task. When responding to individual attacks, defenders are
able to collect information about the TTPs used by a specific attacker, but this data is collected
reactively, leaving defenders once again playing catch-up to attackers. This lack of information
about attackers also makes it challenging for defenders wanting to share actionable threat
intelligence with other organizations.

"Every soldier knows this simple fact: If you don't know your enemy, you will not be able to defeat him."
- Tulsi Gabbard

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 7
Introduction to Network and Data Center Deception
As security teams have continued to deploy perimeter security solutions and reinforce their
defense-in-depth strategies, the number and severity of compromises and breaches have
continued to rise. The ease with which attackers are able to circumvent perimeter defenses is
the reason defenders are forced into the position of assuming their environments have already
been compromised and beginning their efforts from there. However, identifying suspicious or
malicious traffic in a sea of legitimate traffic is no small task. This is one of the main reasons
perimeter security solutions are unable to fully protect organizations IT infrastructures.

Traditional security solutions are all based on the idea of finding the needle in the haystack - to
find the attacker within the vast amount of legitimate network and data center traffic. Deception,
at its core, is the natural corollary to traditional security solutions. It is designed to trick attackers
to move outside the realm of legitimate traffic - outside the haystack - so that they can be easily
identified and remediated.

Deception as an aspect of network and computer defense began to emerge at the very end of
the twentieth century. In 1997 the first publicly available honeypot, The Deception Toolkit (DTK),
was released by Fred Cohen. In the following years, DTK as well as other honeypots were
critical in capturing and analyzing computer worms that proliferated during that time. In
subsequent years, deception technologies continued to evolve, addressing as well as taking
advantage of developments in the fields of application design, virtualization, and networking.

The tactic of deceiving an adversary can take many forms inside a network or data center.
Generally, deception techniques consist of either creating the appearance of legitimate
networks, endpoints, or services that are never expected to be utilized other than by an
attacker, or inserting fake data records (credentials, log data, documents, payment details, etc.)
designed to lure attackers into collecting or using that data. In both of these scenarios, there is
no reason for a legitimate user to ever need to connect to or use this data, so at a minimum, any
interaction with these deceptions can be immediately classified as suspicious.

The possibility of tricking an adversary into grabbing the wrong files or accessing a machine that
will be useless to them can be amusing, but how can these tactics be leveraged to impact the
imbalance between attackers and defenders?

"the whole secret lies in confusing the enemy, so that he cannot fathom our real intent."
- Emperor Taizong of Tang

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 8
Rebalancing the Attacker-Defender Dynamic

Breach Timelines
There are two seemingly contradictory sides to impacting detection times: increasing the ability to
detect the attacker and extending the duration of the attack.

Increasing the detection capabilities for the defender is obviously a desirable proposition. The
challenge facing defenders is that most detection systems have very high false positive rates (the
number of alerts generated from legitimate behaviors). Deception technologies address this
problem by creating tripwires that no legitimate user would ever have a reason to cross. Whether a
fake PDF file, server, or entire network range, once any interaction with the deception is observed,
there is a very high likelihood that the activity is illegitimate.

The second aspect for addressing detection times may appear counterintuitive - it would seem that
the last thing a defender would want is to extend the duration of an attack. However, if an attacker
is currently undetected in an environment, the ability to slow the attackers progress makes life
harder for the attacker while also increasing the opportunities for defenders to discover the
attacker. For example, using an unused subnet to create a collection of seemingly high-value
endpoints can divert an attacker from the true crown jewels of the organization and buy the
defender additional time to detect, monitor, and plan a thorough remediation for the compromise.
To take it a step further, the deceptive subnet could be architected to have very slow and buggy
network performance (either real or synthesized), further slowing and frustrating the attacker.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 9
Environment Mapping
Particularly in large and complex environments operated by equally large and complex
organizations, it is not surprising that a comprehensive understanding of the entire IT environment
is difficult to achieve, let alone keep up to date as the organization evolves. This is the challenge
facing defenders. Attackers on the other hand simply keep track of the aspects of the environment
they discover on their way toward their objective - a much more achievable mapping exercise.

To rebalance this dynamic, two apporaches are needed: enable defenders to maintain an
understanding of their environments, and disrupt attackers ability to create an accurate map
toward their objectives.

Defenders need to be able to maintain an accurate understanding of their environments including

visibility into subnets, VLANs, and hypervisors. Without this, they are unable to fully understand the
traffic patterns and nature of the traffic in their networks and data centers. They are also
significantly limited in their ability to investigate and fully remediate any identified compromises. To
address this challenge, organizations should invest in a visibility product that provides the
necessary transparency into into their architectures and traffic flows.

To impact the ability of attackers to build an effective environment map, deception techniques can
be leveraged. Two tactics for impacting an attackers ability to map an environment are: 1)
populating real systems with references to nonexistent or fake endpoints, and 2) creating the false
appearance of legitimate endpoints and networks.

By injecting references into real systems, attackers are given a false view of the environment.
Whether referencing nonexistent or fake authentication systems, code repositories, email servers,
or others, ensuring attackers do not have an accurate understanding of the environment slows the
attackers progress and increases detection opportunities.

Similarly, by creating the false appearance of legitimate endpoints and networks via spoof ARP
responses, honeypots, service emulators, or other means, defenders are able to misdirect and stall
attackers probing the environment while simultaneously detecting their presence.

A coordinated combination of both approaches creates a strong misdirection and detection

mechanism that prevents the attacker from confidently progressing through the environment.

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 10
Master Keys
Given that attackers are keen to collect admin credentials, there is an opportunity to leverage this
desire to reveal the attackers presence in the environment being defended. Legitimate admin
credentials are routinely utilized by the defending organization as part of its normal operations,
which makes detecting suspicious use or access a challenging proposition. However, if the
defenders environment is populated with additional credentials that appear to be for
administrators but are not actually used for operating the organization, any access or use of these
credentials becomes an indicator of compromise.

Placement of the fabricated credentials is the critical aspect of this tactic. As most breaches begin
with attackers gaining a foothold on either an end users machine or on a server with
externally-facing services, these are ideal places to plant fake credentials and trip up attackers as
early as possible.

Diversionary Tactics
The ability to direct an adversarys attention is a powerful capability - for both attackers and
defenders. Though attackers can redirect the attention of defenders by causing alarms to go off or
systems to go down, defenders are in a tougher position, but still have options.

Attackers are interested in assets that either help them to progress toward their objective or are the
objectives themselves. For example, domain controllers, password databases, and admin credentials
all help an attacker expand their footprint and further progress toward their objective. Customer and
payment databases, proprietary information, and email databases, on the other hand, are sought
after as objectives themselves - those assets that can be monetized or leveraged once exfiltrated. To
create a diversion to distract an attacker, defenders must create fabricated assets that appear to be
the ones the attacker is seeking. Access to any of these fake assets can immediately be assumed to
be suspicious and additional investigation can begin.

A similar approach is fairly common using externally-facing services. By creating fake, and often
vulnerable services, defenders are able to identify attackers right as they attempt to compromise the
organizations perimeter. This approach has its benefits - particularly around counter-reconnaissance
and malware sample collection - but any service exposed to the chaos of the internet is sure to
receive a barrage of traffic that reduces the quality of the intelligence gathered.

"Never attempt to win by force what can be won by deception."

- Niccol Machiavelli

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 11
Opposition Research

Understanding attacker motivations as well as their TTPs is critical for effectively defending against
their attacks. The data collected by defenders once a compromise has been identified can be
beneficial, however it suffers from two problems. First, once a compromise has been identified, it is
typically remediated as rapidly and thoroughly as possible so as to eliminate any potential risk to
the organization. This means reimaging or, in the case of virtual machines, simply deleting the
infected workload and spinning up a new copy. This prevents the potential for gathering additional
intelligence about the attackers, their motives, and their capabilities. The second problem is that far
too often defenders learn about a breach after the fact - frequently because their data is suddenly
available on the dark web. This means that attackers have already captured their objective and
have had ample opportunity to cover their tracks, eliminating the potential for effective intelligence
gathering.

By deploying deception solutions (fake endpoints, credentials, sensitive data, etc.), defenders are
able to not only achieve better detection of attacker activities, but they are also able to gain
insights into how a particular attacker operates and what theyre interested in. For example, the
skill level of an attacker that port scans an otherwise empty IP range is a far cry from the attacker
who dumps the admin credentials from a compromised laptop and uses them to navigate the
network.

Arguably one of the biggest benefits of including deception as a layer in a defense-in-depth

strategy, if done properly, is that deceived attackers can safely be monitored and analyzed without
endangering the rest of the organization. This obviously requires a deception environment
(network, workloads, credentials, data) that holds the attackers interest as well as security controls
that can fully contain any communications outside the deception environment. Such intelligence
about the adversaries expending energy to compromise the environment is invaluable for both
fully responding to and remediating a compromise as well as predicting future adversary behavior
so future attacks can be prevented.

"Cunning is the art of concealing our own defects, and discovering the weaknesses of others."
- William Hazlitt

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 12
Conclusion

By all accounts, todays network defenders have their work cut out for them. As organizations
move more of their operations to the digital realm and attackers rapidly evolve their TTPs to
become more efficient, stealthy, and damaging, the current rate of breaches is unlikely to
subside. Most organizations have come a long way in developing their security maturity in the
past decade, however, the perimeter-centric, reactive postures of the past are proving woefully
insufficient against the speed and skill of todays adversaries. A more proactive approach to
security is needed.

The multitude of approaches an organization can take when venturing into a proactive deception
program provide a similarly wide array of benefits and gathered intelligence. There are significant
differences in the technical requirements for implementing different deception solutions, though
we are likely to see dramatic improvements in deployability and management as organizations
increasingly realize the need for proactive security measures.

As organizations continue to face off against attackers and cyber conflict continues to become
the new norm, if attackers fully understand and expect the reactive controls, tactics, and
responses of defenders, while defenders remain mired in a reactive-only posture, we should not
expect to see a tide change in the balance of capabilities between attackers and defenders. If
however, defenders learn to take a more proactive posture in their security strategies and begin
to engage with attackers in unexpected, unpredictable, and deceitful ways, the balance can
begin to swing back in favor of the defender. How far it swings is up to the ingenuity of todays
and tomorrows security teams.

To learn more about vArmour, the company transforming how organizations protect their virtual and cloud
assets in a multi-cloud world, email info@varmour.com or visit www.varmour.com/contact-us .

< 2016 vArmour Networks. All rights reserved / info@varmour.com / www.varmour.com > 13