Right Size Security – Episode 3: Deception Technology

:: ::

In this episode of Right Size Security, Steve and Simon discussion deception technology. Why do you want it? What are the cost benefits to it and what would you consider about it ahead of other projects?


Welcome to Right Size Security, the podcast where we discuss all manner of infosec from enterprise security to practical security every business can use all the way to end users security. Your host for right size security are me Simon Gibson longtime CISO. And me Steve Ginsberg former head of operations and CIO. For this episode of Right Size Security, we're gonna discuss deception technology what it is and how it evolves and we'll look at it from a CISO's perspective. Why do you want it? What are the cost benefits to it and what would you consider about it ahead of other projects? And we're going to have a chance to discuss it with a CIO and get their perspective including their concerns.


Simon Gibson: All right welcome back. Thanks for tuning in. We usually start off with the current events but they sort of have evolved beyond just being current events, they're more just events that had kind of topical things that happened maybe wisdom, I don't know what we should call this section but it isn't just current events you had a couple of ideas Steve...

Steve Ginsberg: Sure. So I thought maybe this week we would talk a little bit about, I'd seen a piece on human factors research with automobiles and it's kind of a very interesting study, I think, where they're looking in order to make the car respond better, they're actually putting sensors in the car, looking at what is the driver doing; is the driver distracted? Where are their eyes focused? That kind of thing. So the car could react with that context in mind and it just reminded me of that kind of greater issue of security and privacy. So, if auto manufacturers are going to move forward and have all that information, in addition to the other information they have you know it really expands the palette and it reminded me too also that there's that whole issue of security and privacy and maybe you want to talk a little bit about your take on that line, because I know when you know we were talking about security programs sometimes I or others would conflate the two.

Simon Gibson: Yeah, I know some privacy experts, real privacy experts, and the difference is that-you know I am nowhere near qualified to explain what real privacy is I can tell you what security is and then you can use that as a guide to know that this, he's not talking about privacy, because this is just truly about security you know. I think, somebody said "privacy is the new liberty", and that you know the thing about privacy I think that sticks with me the most when I consider privacy concerns around infosec, ot has to do with you know pieces of data that may not seem important now but in their totality can somehow be used in a way that could be malicious, you know? And I think there's a bunch of stories about IBM and the first census that was ever taken and that that census and in the early nineteen hundreds which nobody thought was a big deal in Europe until Hitler came along and said well "Oh who put Jewish on the census?" And that was one of the concerns, right at the time, that wasn't a problem and it just turned out to be one and I think when people considered giving up information they say I don't have anything to worry about you know, let him read my e-mail I don't have any anything, you don't have anything right now, you don't know where that's going to be in five years and what the totality of that is with everything.

Steve Ginsberg: Yeah, it's interesting how the context can change. And then I think you know when I think a little bit about information can be secure but if the privacy is being shared then it's not, and information can be kept private but if it's not secure and it's leaking out then it won't be private for long.

Simon Gibson: Yeah yeah. And true and atomic pieces of information on their own may not give you any anything but enough you know you can sort of extrapolate enough with a few keywords I think I read that if you know a birth date and a zip code you can almost certainly put together who that person, just some several small pieces of information.

Steve Ginsberg: Interesting. It's enough right that there's just that combination is not going to be common.

Simon Gibson: Yeah. Yeah. So there is there's a whole discipline of data deduplication. I think it's got an academic name to it too and people whole PhDs in it and stuff. But I know that from a security and privacy factor though you know the car was an interesting one I just read about a pizza company called, I think it's Zoomi and they hope, I got the name right, they basically look where humans are and order pizza from using different types of data and where cars go by and they park truck, robots make the pizza when you order it on the app and then cars show up and pick up the pizzas and deliver them whether they're like Ubers or Lyfts or whatever and they just place these robot you know pizza making trucks in strategic locations where they know people are.

Steve Ginsberg: That's cool. It's like a regional program essentially. Right.

Simon Gibson: Yeah yeah. So they can just get the pizzas closest to the you know it's really a question of that like last mile but it's like the last few blocks problem.

All right. So let's get on to deception technology what is it and how did it evolve on Right Size Security. First let's discuss this technology. You know what is it and I have some experience with it, in fact that GigaOm podcast you're listening to will link to the landscape paper that we're doing about it so we're talking to six or something five or six companies that sell deception technology and what it really is sort of arose from honey pots which you know I think we were talking earlier Steve, you know the philosophy was this is a simple machine that you deploy in your network and no one ever logs into it and if anyone does, there's a problem on your network because no one should be getting onto that machine. And so deception technology started out as you know that philosophically can we deploy machines around our network using you know the same theory that no one should be logging into it. And I think that also came from companies that were breached and they had active attacks on the network and they didn't want to stop it immediately. They wanted to kind of watch and see what the attackers were doing to figure out who they were and get some attribution. And so they deployed machines that had no purpose other than to get the attackers on and then from there, watch their behavior. So I think that that was kind of the combination.

Steve Ginsberg: Yeah that's really interesting. So it's not just a decoy, you can also use it to basically extend out the attack while you've cleaned it off the machines that are important.

Simon Gibson: Exactly and this is a really sort of interesting you know sort of part of information security when you deploy a countermeasure against an attack, you've now demonstrated to the attacker that not only do you see them but you've just demonstrated some of your capabilities and you know a smart attacker you know will eventually start to probe you for your capabilities or what you can and can't do. So it's sort of, if you see an attack it isn't always necessarily the best thing to stop it right at once. You want to think about what corner you're painting the attacker into.

Steve Ginsberg: Right and in terms of sort of showing your cards that could go either way like, on the one hand, if you show a card that you might want to play later that you might not be able to play it later on the other hand maybe if we've talked about in the past attackers look at kind of the value of the attack versus the effort to gain, if they see a lot of measures, defensive measures, they might consider you a less easy place to stay and attack.

Simon Gibson: And hopefully you know you're listening to this and you have that capability. But for sure if you don't you might just be you know opening yourself up for more. Right. When you deploy one, a simple block of an IP address or something. Well you know it's easy enough for them to come back if there are lots of back doors that you may not have capabilities to defend against. Now I've definitely had to make that decision before, do we block this or do we not block this? If we're getting probed but if we block it we show we know we're getting probed and we sort of tip our hand that we're watching this. We're still building out some capabilities, I don't want to do that for another month or two until we have the capabilities to really defend against it. So it definitely should be part of your decision process. I think the important differentiation and I feel that I've heard this from other people too is well what's the difference between a honeypot and this deception technology? And really a lot of that is in the deployment. You know it's really into how the deception technology is able to connect into your network and through reading packet data and net flows and looking at communication flows, start to figure out what segments have servers on them and what segments of end points that kind of stuff.

Steve Ginsberg: So for someone who's rolling this out how do they get started? How would they go through that?

Simon Gibson: You know a lot of the deployment is getting a configuration and a baseline and it's you know I think for the most part these things deploy as OVAs or as cloud instances and you know they need network traffic. So there's some sort of a sensor or a tap or span and it's looking at flows in packets on your ingress and egress and then on subnets ideally server subnets. And it starts to understand you know this is a range of IPs and there's five domain controllers and so violent print this is a segment that has web servers, this is a segment that has you know code repositories, whatever your environment looks like. And the technology after sort of watching your network for a few hours, comes back and says well here's what I think you ought to deploy in a virtual sense, and maybe it's you know four domain controllers, four web servers and different segments a couple of you know code repositories, different conduits to SAS stuff you know VPNs to AWS, those kinds of things. It does an analysis and then it comes back and it tells you what segment a machine should go on.

Steve Ginsberg: That's really cool, so then you kind of go through the interactive interface at some level and sort of pick and choose where you want to deploy these false agents if you will.

Simon Gibson: Yeah these decoys. Yeah exactly and it's just a matter of cabling this head end on to a VLAN that makes sense, and then just virtual IPs get assigned to it, you can either obviously configure it manually or you can probably just get DFCP and it comes up and it looks and smells and feels like a domain controller web machine. And another nice kind of you know again for companies thinking about this kind of thing, once all this starts to happen generally these vendors also have interactive sort of built in, sort of threat technology or you know they're looking at your traffic, they have a ton of other customers and they have threat intelligence and they're kind of bumping up what your traffic is doing with other ones and so there's another layer in this sort of threat intel world.

Steve Ginsberg: Where so you can leverage that anonymous share where you're getting you're getting intelligence about what other things could be in play at the time or at least types of signature.

Simon Gibson: Exactly. Yeah. We actually heard a really good story about a company that had this technology deployed and all of a sudden one of the decoy hosts began beckoning out to an IP address, they checked the IP address, it had no reputation scored none positive or negative it just was an IP on the Internet and they looked at the decoy machine and saw clearly this was malware and this was obviously C2 communication. And when they took the IP address and dropped it in the rest of their firewall and proxy logs they found 35 other machines, also bound for this C2. So it did really prove itself out, it found you know, it found some malware and an IP address. And I think there's always this assumption that you know for security you can just block the bad parts of the Internet and then everything is fine and you know as we were kind of getting ready for this, the problem is that (a) it's just so vast, you probably can speak to the vastness of it.

Steve Ginsberg: The internet is large.

Simon Gibson: It's humongous and the Internet is evolving. It's you know what's good today may be bad tomorrow. And you know what's bad today may be good tomorrow.

Steve Ginsberg: Yeah. I mean a perfect example of that is you know at least early instinct would be you know there's enough attacks coming from certain regions in the world that you might say well maybe we should block all traffic to that region for example at that level. And then you realize well you have employees who are international folks they may be reading news there or have family there. So you know at the very beginning that falls apart for example.

Simon Gibson: Oh yeah for sure. I mean yes it could be doing business it could be like you said it could be family stuff it's just you know it's it's very difficult to just make arbitrary sort of decisions about what you allow and don't allow unless something is proven bad. The problem there though is that those things that are bad can become good again. So you've got an issue on site that issued financial data about you know different banks and it had it had a malware and a directory and we had to block it and people were yelling, we need to get this information to do our jobs and we said we know there's malware we can't let you go off the corporate network. We actually couldn't tell them at the time why we knew, because we got it off of a mailing list, we got this sort of intel kind of quietly and and when it did make the news which it did it actually ended up kind of being a big news story when it did actually get into the news we were able to sort of explain it but it's really difficult when you have people just trying to get their jobs done to say you can't go somewhere, you know people want to know.

Steve Ginsberg: Right. So you'd be better off to navigate the traffic with a more fine tooth comb. This is the traffic I can allow and should allow and want to allow and this is the traffic I really... Based on the flows themselves not greater.

Simon Gibson: And my sense is this technology is trying to sort of help you vet that out and you know I think there are you know there are plenty of concerns I think I certainly had the concern of you know just complicated networks being complicated enough without adding stuff that isn't real to them. You know that for me was always one of my bigger concerns that we have enough trouble keeping known machines up and running and healthy.

Steve Ginsberg: Right. It seems like there could be a decent amount of kind of operational impact for this, so our systems administrator is gonna be patching these new instances and probably they should right if they're up and running but can they take on that our network administrator is gonna be able to deal with the additional traffic there?

Simon Gibson: Yeah and I think that is one of the differentiators in this technology from honey pots is that these consoles, the sort of controlling apparatus for the deception technology sort of manages all that so you don't need to put them in your monitoring and you don't need to patch them, I think that they keep the VMs at a state that they ought to be at, part of the the reason you buy this technology is so that your team doesn't have to manage those decoy hosts.

Steve Ginsberg: What platforms do they run? Are they Windows, Linux, Mac?

Simon Gibson: They're all of the above, and so they can be sort of any version of Rel or you know it could be any version of Linux it could be any version of Windows it could be.

Steve Ginsberg: And you think some of these companies provide those as images where they're basically running their own full build systems for them then so they are fully maintained images or?

Simon Gibson: So I think the point of the host is that if somebody logs into them they're convincing enough that they're going to want to try and drop some malware. And see if the malware will run and I'm sure that that is just as much an arms race as were detonation chambers when malware would see a detonation chamber it could tell that was in a VM and it wouldn't launch. So I'm sure that there is that same type of problems. And you know again it isn't always VMs. There are definitely instances of this technology that deploy as full systems. So it's a machine but it's running a full OS. And then I mean keeping the patch from - the goal is that no one's logging into them and no one's doing anything on them unless it's something bad. So there's probably a you know if I look at most organizations there's usually you know anywhere between a couple of months and a couple of years lag on patches between running systems.

Steve Ginsberg: Right. And I guess given their purpose to be the low hanging fruit it's maybe OK if their patch level is lower in a lot of case.

Simon Gibson: Yeah probably.

Steve Ginsberg: It's actually ok if someone attacks in there. That's kind of their purpose.

Simon Gibson: Yeah. And it's running and listening on stuff on more ports and you know it's accepting you know challenge response authentication, you know what I mean it's doing it's running stuff that that would look attractive. You know I think there's the other point of that too is getting people onto them. That's another sort of differentiator in this technology which is that the machines that are accessing legitimate systems all have information about those legitimate systems on them, there's all sorts of artifacts about the the domain controller and who has logged in and what passwords are in memory and what's in the registry about the domain and you know what the printers are and all those sorts of things. So this technology also leverages the ability to deploy what they call breadcrumbs on end point systems so that if you manage to get your machine client cited somehow you know you go to a website or you open a dock and you end up client side when the attackers are analyzing your machine to go figure out where the good stuff is in the network, this technology will help point the attacker to these decoy machines.

Steve Ginsberg: Yeah. That's really interesting. So it really could be a big time sink for an attacker where not only are they first level breaking into the wrong machines essentially the ones that the enterprise wants them to break into as most of the important ones. But then there can be a second level as you're saying which is then they're pointing to a domain controller which also isn't the prized domain controller it's also an official decoy essentially.

Simon Gibson: Yeah. And the goal is that that as soon as you start to see that traffic and again in our example of the customer that you know that found the C2 IP address beaconing from a decoy that was clearly you know running malware and then found legitimate infections throughout their network. And I think that's really where these guys are trying to add some value. I think it's where honeypot was a single machine you deploy or a couple of machines you deploy for research and there's a few different kind of ways of thinking about honeypot technology just plain simple let it stand, there's ones that are you're just trying to get research, ones you're trying to collect artifacts on when you want to see what exactly people are doing and how long can you keep them there. I think this technology just is sort of it's the natural evolution of it.

Steve Ginsberg: That's really cool. In addition to operational impact, are there other risks that you view associated with this?

Simon Gibson: We sort of talked earlier a little bit about the concern that if you start deploying tech capabilities you move your attacker around and this is one of those where if you have a bunch of machines that look like they're not patched listening on things, are there sharks in the water and you're throwing chum in it like is that. Is that a risk you're taking by suddenly making yourself look more attractive to these attackers? Because now you know an overzealous administrator maybe opens a firewall port on a DMZ and just you know can we get anybody on these machines or maybe it's just you know a subnet of machines that would have been patched and running perfectly happy and somebody scans that subnet and one of these machines pops up and an attacker that may have decided not to attack he sees these things and now you've sort of lured them in. So I suppose that's a risk I think you want to be careful with that.

Steve Ginsberg: Right there's a little careful what you wish for in that regard.

Simon Gibson: Yeah yeah that's right. That's a good way to put it.

Steve Ginsberg: So how does this fit into an existing program? You know it seems like you've got topics about integration and interaction with other things. One question I would have would be: how does it interact with a bug bounty program for example?

Simon Gibson: That's a great question. That would actually be really I think super difficult to try and spread those two apart. I think you know for the most part the bug bounty programs I've seen are around specific applications, their application center, a web app or a you know an embedded app or something like that. If you are doing a bug bounty program on a land with decoys you definitely have to put those out of scope. I think because it wouldn't it would be just mayhem. I do think though you know in terms of like a strain and additional sort of time and work to run these things I think the technology apart from the deployment of the breadcrumbs on the user end points this technology is very sort of benign. It's very kind of it runs alongside it's not super in line. And yes you look at packets maybe on ingress and egress. I think you could probably do those just as well off of the span an attack. You don't necessarily need to be in line. So I think there's a pretty, for the potential benefit of this it's pretty low touch and pretty safe. Again you know when you're pushing stuff to endpoints and changing registry settings and maybe even logging into endpoint to leave credentials and memory those things you probably need a certain level of skill and expertise. But I do know that these vendors are aware of that and they're working to make that as easy as possible. I think that two things that stood out for me, one of them is definitely that question that boards ask all the time of the CISO and if you're the CISO and you've ever been to the board, one of the first things you always get is are we secure? And that's you know you can't say no because you know we're not you know there's problems but you gotta you gotta say something because you're the CISO it's your job. You know like you if you're a fireman and somebody asks you did the building burned down you've got to say well you know you have to have an answer right. And I think the problem with that is it's the wrong question. Is it always secure? Isn't asking the right question and you know the right question for boards is what are we doing about our security? What are our top five risks? You know how much are we spending on it? Do we have the right people? Do we have the right technology? Are we measuring them right? How are we reporting on? These are always going to be risks and I think that perhaps this technology can help answer that because you can say empirically I'm measuring all these things, I'm measuring like I know this is we have these five risks maybe it's endpoints, servers, people, whatever your risks are and we're measuring them and here's how we're spending and deploying resources to make them better. But then what about that unknown unknown? Right. And so I think this maybe lets you answer that question well we can't say for sure we have a breach on the network but if we did we'd probably catch it with one of these decoys it gives us a better chance. I think the problem that these vendors will also face though is the same thing that the detonation chambers did where the adversary will be sophisticated enough to tell a decoy from a legitimate machine and not fall for that. But again I think that's a well understood and known problem and I think that the vendors that we're looking at in this space are working on that and I think they probably have it solved.

Steve Ginsberg: We've talked about in this podcast that one of the things we're working through is how does a CISO present to a CIO and really today's discussion is a great example of that. So Simon has been working on this topic and of course I'm familiar with honey pots for example but I was not at all up to date on this topic and you know as we've discussed it today especially you know what I hear is something that if I'm in my CIO shoes I would say this is a great idea right. So you're giving hackers a chance to attack your network in a way that might not be damaging to you. So in that you're certainly allowing your network team or your security team to see where might they be coming in, hopefully as sacrificial lambs. Hopefully these are the decoys that are found first before your real equipment. We've got some real world examples that say this will happen in some cases and then that's going to let you know not only hey there's an attacker potential but actually you've already got attacks going on and you didn't see them in the network noise in the transactional noise of a busy system and I know that's always a big challenge. It seems like something that scales very well it sounds like the kind of thing where a program could start small on low impact, we know security teams are always really busy, network teams, systems teams are very busy so if it interacts with them and they need to be involved at all to kind of get something approved and running it could start small with low impact but then I'm even envisioning from our discussion that for some networks it might make sense to really deploy large numbers of these to really make it so that an attacker now if they want to hack your network effectively they've got to get on twice as many machines or something you know towards that scale.

Simon Gibson: Yeah definitely. I mean think about the possibilities with IPV6 and you could have you know potentially millions of these decoys running. So that's I guess that's it Steve for another episode of right size. It sounds like deception technology again from what I can tell us is is probably worthwhile in the enterprise and it from a seasoned CIO perspective it doesn't you know from the work I've done with it it doesn't look like it's gonna add a lot of overhead to your team.

Steve Ginsberg: Yeah I mean I think that we talked about the guidelines of operational impact and I think that's something to really you know that that would still be on my mind to consider as it gets rolled out and look for that carefully. But otherwise it sounds really good. Yeah.

Simon Gibson: Thanks for tuning in.

Steve Ginsberg: Thanks for listening everybody.

Interested in sponsoring one of our podcasts? Have a suggestion for a great guest? Please contact us and let us know.