Follow the Honey: How Cyber-Deception Can Help CISOs

Phil Muncaster discovers that sometimes attack is the best form of defence

It often seems like threat actors hold all the aces. They have a readymade underground economy to trade data, malware, and know-how. When launching malicious campaigns, they can take advantage of pre-packaged services to do all the heavy lifting. They have a growing supply of AI tools to supercharge social engineering and other tasks. They also benefit from the element of surprise.

Yet cyber innovation works in two ways. By going on the front foot with deceptive tactics, techniques and procedures (TTPs), CISOs have an opportunity to wrest the initiative from their adversaries. That’s why the National Cyber Security Centre (NCSC) is looking to test the efficacy of such an approach in a new nation-scale study. The cybersecurity community will eagerly await its findings.

What is the NCSC project about?

Cyber-deception is beloved by cybersecurity vendors and insurers as a valuable way of gathering threat intelligence. Insurance firm Coalition’s London honeypots recorded 91 million threats over 28 days in January, for example, 85% of which were actors attempting to hijack remote desktop connections used by remote workers. Yet the same techniques could also be useful to network defenders.

That’s why the NCSC is building “a nation-scale evidence base” for cyber-deception. A summit of UK and international government and industry partners has already been convened to discuss the topic. And now it wants to see how such capabilities could slot into the second iteration of its wildly successful Active Cyber Defence (ACD) initiative. ACD is all about removing the low-hanging fruit for threat actors by enabling UK organisations to enhance their cyber resilience. Whether scanning for malware and vulnerabilities or checking compliance with DMARC, by offering these services free of charge, the NCSC is making cyber criminals work harder to achieve their goals.

“The NCSC wants to implement so-called ‘low-interaction solutions’ like digital tripwires and honeytokens”

Cyber-deception could do the same if run nationally. The NCSC wants to implement so-called ‘low-interaction solutions’ like digital tripwires and honeytokens, which raise the alarm when they detect an unauthorised presence. It also intends to install high-interaction honeypots which detect a wider variety of malicious TTPs and the capability and infrastructure behind them. These will be placed across the internet (IPv4 and IPv6), inside internal networks, and in cloud environments – with a plan to deploy at least two million honeytokens.

With the intelligence generated by these sensors, the NCSC hopes to better understand how effective such tactics are at discovering latent and new compromises and whether their presence at a national level forces changes in threat actor behaviour. But not everyone is convinced.

“This [project] is extremely tricky as it would require financial incentives for private companies to participate in this kind of initiative. They need to ensure that they will see some benefit,” BforeAI CISO, Dimitri Chichlo, tells Assured Intelligence. “My opinion is that a more interesting alternative would be to invest in technologies that almost systematically disrupt cyber attacks well before they reach their target.”

Pros and cons

However, cyber-deception is gaining traction among security providers, enterprises and other companies for several reasons. It surfaces insight into previously hidden attacker behaviours, which can be used to enhance cyber resilience. In so doing, it wastes attackers’ time and energy, increasing the cost of their efforts while drawing them away from genuine enterprise assets. Threat intelligence can be beneficial in neutralising attacks. Organisations can better understand the types of assets and data threat actors are after and the techniques they use to reach, compromise and steal those assets.

“Coalition’s honeypots detected activity related to the MOVEit vulnerability as early as 2022” Daniel Woods

One report claims that organisations using deception tactics and techniques detect hackers on their network almost 12 times faster than they would otherwise. This, in turn, can reduce the cost of breaches. According to IBM, data breaches that took more than 200 days to identify and contain had the highest average cost at $5.46m (£4.1m) compared to those with lifecycles under 200 days. Costs for longer breach lifecycles increased by over 10% annually this year.

Security service providers and others can also use cyber-deception techniques to help keep customers safer. Insurer Coalition is a good example.

“The company regularly sees attackers try to exploit particular technologies, which helps to inform whether customers should be notified about security issues,” Coalition senior security researcher, Daniel Woods, tells Assured Intelligence. “For example, Coalition’s honeypots detected activity related to the MOVEit vulnerability as early as 2022, with a significant spike in mid-May 2023.”

He argues that cyber-deception is also helpful in increasing the cost of attacks on adversaries.

“Deception creates wild goose chases. This might look like threat actors wasting resources trying to compromise synthetic devices,” Woods says. “Alternatively, if defenders create vulnerable systems that store synthetic data, then threat actors must sift through exfiltrated data to identify whether it has valuable information, helping to deter them.”

However, there are some drawbacks.

“It might lead threat actors to increase their professionalism and manipulation capacities,” warns BforeAI’s Chichlo. “The attackers can use deception in turn, playing with their adversaries to trick them into believing false information, poison their analysis, and draw false conclusions that can be used against them. That would be a never-ending cat-and-mouse game.”

Coalition’s Woods adds that widespread deception deployment “could potentially force these actors to slow down and be more stealthy”.

The road to deception

For CISOs interested in setting up their own cyber-deception infrastructure, Cybereason VP and global field CISO Greg Day has a word of caution. While such tools can be valuable for threat hunting, adding them to an already stretched Security Operations Centre (SOC) is like “giving a new driver the keys to a semi-truck,” he tells Assured Intelligence.

“Organisations today are already overwhelmed by the sheer volume of security data from existing tools. This data is often unstructured, lacks context, and includes high false positives” Greg Day

“It seems logical that more information would be helpful, right? Not necessarily. Many organisations today are already overwhelmed by the sheer volume of security data from existing tools. This data is often unstructured, lacks context, and includes high false positives, making it hard for machines to process and even harder for humans to manage,” Day continues.

“As a result, most companies don’t have the resources to handle the data they already collect. Many lack the skilled personnel required to manage it, and by the time they address an issue, some of the data may have been deleted due to high storage costs.”

He argues that organisations should only consider cyber-deception once they’ve devised a more efficient way to filter and validate the security data they currently receive.

Coalition’s Woods has seen first-hand the challenges of data overload from honeypots.

“Extracting insight is akin to finding the needle in a haystack,” he says. “Coalition Security Labs, the company’s centre for research and innovation, is developing artificial intelligence solutions to help with this and sift through data.”

Yet others are more optimistic. Brian Jack, CISO at KnowBe4, tells Assured Intelligence that some cyber-deception capabilities can be deployed relatively easily.

“You can do this several ways; one being establishing real or virtual machines on your network or cloud infrastructure, and the other being to deploy files that can send an alert when accessed,” he explains.

“Disguise these systems and files with an enticing name and fake content, or even place an API key or credentials inside a document or as a file on one of these honeypot systems to an account with no permissions. You can then alert any login attempts or usage of those credentials.”

Jack claims this is a “relatively low cost and high reward way” to get started with cyber-deception. As network defenders continue to toil as their adversaries profit, it may be time for something different.