Adopting Deception to Control the Attack NarrativeSmokescreen Technologies' Hidayatullah on Tools and Techniques to Get You Started
Deception technology requires skillful misdirection, and the decoys used - be they systems, files or credentials - all need to mimic real systems and pose a challenge to the attackers if they are to buy into the ploy. And the entry bar for organizations wanting to use deception is high in terms of security maturity. You need to have the basics in place before you think of deploying deception to your advantage.
In part one of this interview, Sahir Hidayatullah, CEO and co-founder at deception and active defense specialist Smokescreen Technologies, described the evolution and relevance of deception as one of the pillars of a modern defender's strategy. In this second part, he speaks about the tools and techniques you can use to get started, as well as some of the challenges you may encounter.
Hidayatullah advises using as many different types of deception as possible to detect potential attackers across the entire kill chain. "To start with, you deploy reconnaissance decoys, which are external and will only trigger when someone is doing targeted recon on you," he says. "For the exploitation phase and privilege escalation phase, you have decoy personas which attackers can try to spear phish and decoy credentials which will trigger upon use."
To detect lateral movement, you could project fake systems all over the network to catch the attacker movement when they get hit. And the final stage, data theft can be actively covered by decoy documents and files that have an internal tripwire, he says. If someone is trying to access data they shouldn't, you get alerted. And you know for certain that this is malicious activity because you put the files there for them to find (see: xDedic: What to Do If Your RDP Server Was Pwned).
While there are a number of free, open source honeypot projects available that you could tap into, none of them are really enterprise ready, says Hidayatullah. However, they do give you a good perspective on how deception can work for you. "The open source tools are very effective, but they require some tinkering in the lab and can't really be managed or monitored centrally," he says.
In this exclusive interview with ISMG (see audio link below image), Hidayatullah discusses:
- Active defense and some of the ways you could get started;
- Examples of attacker behavior and how deception helped detect a malware-less attack;
- How redirecting and controlling attacker movement can give you the upper hand.
Hidayatullah is the CEO of Smokescreen Technologies, which focuses on detecting targeted hacker attacks before they cause business impact. He was one of India's first ethical hackers and is a serial entrepreneur. His companies have investigated many of the highest-profile data breaches in the country, with clients that include critical national infrastructure, global financial institutions and Fortune 500 companies.
You can listen to part one here: The Evolution of Deception Tech.