Dr. Donnie Wendt's presentation will explore adding deception as a component of a security-in-depth strategy to increase cyber resilience. He will elaborate on this idea in his keynote Vampires & Cybersecurity: Using Deception to Increase Cyber Resilience on Thursday, May 12, 2022, 11:30 am at the European Identity and Cloud Conference 2022.
To give you a sneak preview of what to expect, we asked Donnie some questions about his presentation.
I like to think of deception, you know, it's not really about deceiving the enemy, but it's about causing that enemy to deceive himself. So the art of deception is really about providing that enemy with something they want to believe. In my presentation, we'll discuss a few famous examples from history but when we talk about the cyber realm, that is where deception can really thrive. Cyberspace has made creating fake realities, imaginary assets, and false personas quite simple. In cyberspace, people use deception with ease for many purposes. Some of those users, and it's become so ubiquitous, we often don't even think of them when we think of deception. In some cases, they mimic very deceptive activities in the physical world. Sure, deception is used by cyberattackers and defenders, but it's also used for things such as ensuring privacy, criminal investigations, intel, counter-intel operations, conducting espionage. I use it for research, criminal activity, and quite often by ordinary people wanting to boost their social media profile or provide fake accounts on websites. However, my presentation is going to focus on the practical use of deception to assist with the cyber defense of our companies.
Oh well, I am a big fan of vampire literature and I decided to have a little fun with this presentation, so I incorporated some analogies with vampires. I found that when discussing deception for cybersecurity, people seem to jump right to the honeypot and hunting nets. They start envisioning you know, enticing that attacker and perhaps through external lures and possibly even engaging the attacker. However, inviting attackers into your network, much like inviting vampires into your home, can have very serious repercussions. Furthermore, engaging them or watching them move about can be quite risky. I like to say leave that type of engagement to the professionals, the external security vendors and researchers, or in the case of vampires, let Buffy handle it. Often the best approach when encountering vampires is just to drive a wooden stake through his or her heart as soon as possible. Similarly, in most situations, once a suspected attacker is identified, organizations want to evict and block that attacker quickly and effectively.
Well, unfortunately, when we talk about attackers that targeted our organizations, unlike vampires, they can enter without an invitation. But that does not mean we need to invite them in, right? Fortunately, defenders can deploy many types of deception which can detect attackers and provide that early warning system of possible intrusions. So that we can respond quickly. Defenders can create a wide range of decoys, including servers, network devices, files, database entries, and even passwords, which only a malicious attacker should access. Defensive systems then monitor those decoys and alert on any interactions with bogus resources, including from insiders. Several of these methods are very simple to implement and require no new technology. However, I do believe that like an integrated deception platform can provide many benefits related to the creation, deployment, and maintenance of deceptive assets over time.
First and foremost, the successful implementation and operation of a deception program require a clear strategy that defines the goals and objectives. Clear objectives and goals are going to assist in prioritizing many use cases for deception. Also, the program has to define the roles and responsibilities required not only to implement but to support that deception strategy over time. For example, what will be required to develop, deploy and maintain deceptive assets and respond to all the generated alerts? The objective and goals should then drive prioritization and implementation of use cases because when you consider an objective focused on detecting and evicting an attacker. It's going to have very different use cases than one focus on collecting threat intelligence. So it is important, again, to always start with that clear strategy, objectives, and goals. Let those drive your implementation. Also, be careful not to underestimate the effort required to maintain deceptive assets. Finally, always keep in mind, if you intend to engage the vampire, be very sure of your capabilities of wielding a wooden stake.