How to Deceive Cyber-Attackers With a Kill Chain

 
 
By Karen A. Frenkel  |  Posted 09-22-2015 Email
 
 
 
 
 
 
 
 
 
  • Previous
    How to Deceive Cyber-Attackers With a Kill Chain
    Next

    How to Deceive Cyber-Attackers With a Kill Chain

    One way to defend against cyber-attackers is through deception. Gartner reveals ways to do this with a carefully structured series of feints along a "kill chain."
  • Previous
    Gartner Deceptive Response Kill Chain
    Next

    Gartner Deceptive Response Kill Chain

    Gartner describes a "kill chain" as several types of deceptions that are injected throughout the lifecycle of an attack. They trick an attacker into triggering a detection event, or disrupt segments of the attack kill chain.
  • Previous
    Reconnaissance
    Next

    Reconnaissance

    Reconnaissance is the first stage of most attacks and it's a good time to lie to the attacker, making it difficult for the intruder to identify potential services, applications, data or infrastructure components to exploit.
  • Previous
    Weaponization
    Next

    Weaponization

    During weaponization, misdirect the attacker through deceitful application responses for emulated services. This delays the attacker's tool selection or diverts him or her to services not in use.
  • Previous
    Deliver Phase
    Next

    Deliver Phase

    Use subterfuge to send unknown, suspicious or known malicious binaries to a deception zone, like a network sandbox. There, it executes a virtual environment that appears to be in use by a real user.
  • Previous
    Exploitation Phase
    Next

    Exploitation Phase

    Trick or disrupt exploitation depending on the target, but craft your response according to the types of malware and attacker's behavior. At the network layer, for example, provide deceptive responses and fake the results of an exploit, or shunt traffic to the deception decoy environment.
  • Previous
    Installation Phase
    Next

    Installation Phase

    Interrupt the installation phase by deceiving the malware into "believing" it is running in a virtual environment, or make the malware "believe" it has written files that it has not.
  • Previous
    Command Phase
    Next

    Command Phase

    The most common approach of deception and this stage is to redirect command-and-control traffic to socket servers to understand the communication protocol the botnet uses. Take down botnets by deceiving the agent itself by issuing its commands.
  • Previous
    Act Phase
    Next

    Act Phase

    Make attackers believe they have received valid credentials, or have explored real endpoint systems and are seeing real, sensitive data.
  • Previous
    The Power of Fake Credentials
    Next

    The Power of Fake Credentials

    By using attackers' trust against them, increase detection and delay their efforts, causing them more financial harm; providing an attacker with faked credentials can delay them for a week.
 

Imagine that you could lie to the cyber-attacker on the other end of the command-and-control console, or fool malware at the affected endpoint, or both. Deception as a defense against attackers is an attractive strategy for enterprises, according to a new Gartner study. Deception technologies use feints to thwart attackers' cognitive processes, disrupt their automation tools, delay their activities or prevent the progression of a breach, the study explains. The report says automated tools to do that represent a "sea change" in the future of IT security. A subset of those tools disrupts decoy sensors that enhance attack detection across an enterprise's internal environment by mimicking endpoint services, applications and systems. "The traditional defense-in-depth approach to network security simply isn't working," said Carl Wright, executive vice president and general manager of TrapX Security, a deception-based cyber-security firm. "Deception technology can change the fundamental economics of cyber-defense, shifting costs from defender to attacker while denying freedom of movement on the network." Here are deceptions along a kill chain that create an electronic "hall of mirrors" to divert attackers from sensitive assets.

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login Register