Using Deception to Complement the SOC

By George Finney

6 min read

In today’s world, we have SOCs, MSSPs, SIEMs and data lakes. We’re data hoarders, collecting as much information as possible so that in the event something happens, we can go back and investigate.

But all of this data also creates a ton of noise. We need to have the data in order to correlate events, but the complexities of managing SIEM tools along with the volume of false positives make it challenging to provide actionable intelligence. Alert fatigue is real, and with so much on the line in our digital world, how do we cope?

Modern deception technologies can help — by complementing the SOC automation with SOAR. Deception alerts create a much higher signal to noise ratio. By definition, the only alerts that a honeypot should generate are from malicious activity. When someone visits a fake ERP system, uses fake credentials, or tries to access a vulnerable endpoint that’s really a lure. These are all examples of malicious activity we’re monitoring in our SIEMs, but that can be a challenge for even the most sophisticated teams to catch. Deception simplifies this struggle.

From a red team perspective, one of the first things that attackers do is reconnaissance, learning about their target and finding weaknesses. This is a perfect opportunity to break the first link of the kill chain. Rather than being a “nice to have,” deception technologies can directly interfere with reconnaissance: either stopping it immediately or providing fake information to redirect attacks to where they can be contained.

Use Case 1: Shodan is like Google for finding potentially vulnerable devices on your network. Shodan scans the Internet searching for unpatched IoT devices. Defenders can use Shodan to help find devices that need patched, but attackers also use this as a service.

One approach to services like Shodan might be to automatically block any scanners if they trip a group of deception sensors in your environment. While Shodan has some well-known scanning IPs that can be blocked, there are other scanners that appear to rotate IP addresses. Other similar scanning services may use large volumes of IP addresses that scan at low rates, making blocking IPs outright a challenge. But this may be a first step in disrupting reconnaissance.

Another approach, rather than blocking scanning outright, is to purposefully deploy insecure services like Telnet or decoy vulnerable IoT devices that an attacker might find interesting. While a simple scan of these decoys might not set off an alarm, automated blocking can be put in place when an attacker connects to these devices and attempts to login using stolen credentials.

Use Case 2: CRT.SH is a site where you can search for publicly available certificates. This site is a great resource for finding services that might be interesting for an attacker. An attacker can use this site to quickly locate what services an organization is using without performing invasive scans. This can help identify interesting targets that an attacker might specialize in like vulnerable Oracle or SAP databases, for example.

Knowing that an attacker will use this data for reconnaissance, security teams can create certificates for false services that any normal user would never use. If an attacker harvests account credentials from another source, they might attempt to access these fake services with those credentials. Or these false services might themselves contain false credentials that can be configured to create alarms for the SOC if they’re used in conjunction with other services.

Greatest Military Thinkers

Deception technologies can create forged credentials or generate whole fraudulent Active Directory domains. They allow security teams to create deception networks in real time. These can be extended to the cloud, where security teams lack visibility. And they can waste an attacker’s time and lure threat actors away from where the important data really is.

Deception is a valuable way of validating identity, helps detect unexpected activity, and helps prevent malicious activity from occurring. But deception, by its very nature, means that we must embrace unpredictability. This, in turn, decreases the chances of becoming a victim of a cybercrime.

The Trojan Horse, the Quaker Gun, the Cuckoo’s Egg: history is full of examples of deception making the difference when it comes to conflict. Some of the greatest military thinkers like Sun Tsu or Machiavelli suggest that all conflict can be won by the side that employs deception most effectively. And to be successful, we need to make Deception a habit.

It’s About Habit

40-50% of all human behaviors are based on our habits. In my new book, Well Aware, I argue that there are nine different habits that have an impact on cybersecurity, and by far, the most effective technique to improve your security is deception. And when we master it as a habit, Deception feeds back into the other cybersecurity habits, like Literacy because we start to understand our adversaries, what their capabilities are, and what they are after.

One of the most powerful parts of deception is that, by understanding what our adversaries are after and what techniques they are using, we can improve faster than those threat actors. The Honeynet Project, founded in 1998 by Lance Spitzner, did exactly this with their Know Your Enemy series. The members of the original honeynet project went on to help shape many of the security technologies we have today because they understood the techniques and tactics that our adversaries were pursuing.

Final Note

Now I’ve said a ton about what deception technologies have to offer, but I want to note that there are also drawbacks. Some worry that honeypots may attract unwanted attention to your resources, or that an adversary once tricked could come back stronger later. To address this, deception technologies don’t have to be publicly accessible, and can instead be focused on insider threats.  

Relying on deception technologies alone means that you could miss attacks that haven’t tripped the alerts you’ve set up. Deception is not a replacement for other tools, and should be deployed after other basic security controls are already in place.

The most recent initiative to employ Deception to help organizations better defend themselves is MITRE Shield. MITRE Shield is a knowledge base in order to help organize and augment the MITRE ATT&CK framework. Organizations that are already using ATT&CK will find that Shield as a complimentary way of augmenting their security controls by using active defenses, which the Department of Defense defines as “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Deception technologies will play a role in many of these active defenses covered by MITRE Shield, and it will be interesting to see how things evolve.  

George Finney is the Chief Security Officer of Southern Methodist University and author of “Well Aware.” He has been in cybersecurity for 20 years and helped startups, global telecommunications firms, and nonprofits improve their security posture. He’s a member of the Board of Directors for Palo Alto Networks FUEL User Group.