All warfare is based on deception, according to legendary Chinese military strategist, Sun Tzu. It’s a maxim security teams are increasingly looking to for inspiration in their daily battles against shadowy online adversaries. By throwing up a web of deception around our most sensitive data, we can confuse and delay the hackers whilst providing a useful tripwire to boost threat detection efforts.

The art of online war

Modern threat detection is good. Using the latest supervised and unsupervised machine learning techniques, combined with big data analytics and other tools, Security Operation Center (SOC) staff can find the proverbial needle in the haystack — indicators of an attack which may otherwise go undetected. Yet such tools are certainly not the norm today. Many stretched security teams are drowning under a barrage of threat alerts. 

That’s partly why the dwell time for EMEA organizations in 2017 stood at an unacceptable 175 days, longer even than the global average. The bottom line is that the longer an attacker is left undetected in your network, the more damage they can do, and the more expensive and time-consuming the eventual clean-up will be.

But there is hope. A hacker recently told me that the main priority for an attacker once they’ve infiltrated the corporate network is to find the “Crown Jewels” — whether that’s sensitive customer data, IP or trade secrets. That means, if we can delay these efforts, there’s a chance to regain the initiative. This is where “smart camouflage” tools come in.

Camouflage and detect

The global market for deception technologies is set to be worth over $2 billion by 2021. These work in a similar way to honeypots in creating a trap for attackers to walk into, but they’re more advanced. Honeypots need to be maintained liken regular servers, which takes time. They can also be spotted by clever cyber criminals.

However, modern deception tools can create any number of fake assets on corporate endpoints — assets that might look like real folders, files, and admin credentials but are not. This at once makes the hacker’s job of finding what they want more difficult, while increasing the odds that they’ll engage with a fake asset and alert security teams to their presence. If you want to hide a tree the best place to do so is in a forest. So, with deception tools, you’re building virtual forests of data trees. It also makes sense to place these fakes on the endpoint, as this is increasingly where threats are focused: over 80% of the 20.4 billion threats blocked by one vendor in the first half of 2018 arrived via email.

These techniques can be combined with advanced threat detection tools like NTT Security’s network monitoring capabilities, designed to identify botnet masters, for maximum effect. Such tools may have previously been the preserve of governments and major financial institutions, utilities and the like. But thanks to managed service providers, these capabilities are available to an ever-wider range of organizations.

The bad guys are sharing tools, technologies and intelligence all the time. So let’s start doing the same.