In the highly regarded military treatise "The Art of War" written in 5th century BC, Chinese military strategist Sun Tzu proclaimed - "All war is based on deception". It is surprising then, how in the ever present and ever escalating cyber-war, deception techniques have still not gained prominence. Security technologies have over time evolved from being reactionary in nature to being proactive in its approach to detection and response. However, the industry is still far from being in a position where it can outwit adversaries at their own game, leading to a situation where playing "catch-up" is the norm.
Early implementations of deception technologies include the use of internal Honeypots to detect potential intrusion attempts. The concept of a honeypot is simple - decoy hardware is strategically planted on a network in such a way that any activity on it alludes to the presence of a malicious actor on the network. Over time, the concept has evolved further and has been adopted for use at various levels in the technology stack, from hardware and middleware solutions to applications that can directly interact with users. Decoys implemented completely in software are used by researchers worldwide to trap malware and spam emails, while organizations make use of "honeywords" or "honey hashes" in their databases to identify password and data leaks.
At DEFCON last year, we happened to be in a certain closed room discussion focusing on the behavior of various automated malware analysis systems. One of the focus points was various evasion techniques employed by malware to evade analysis by automated sandboxes . There are a number of well-known checks that malware can perform to determine whether it is under observation, including querying a few environment variables, enumerating system hardware, or looking for the presence of a particular tool on the system.
A seemingly innocuous question came out of this discussion - "Can you prevent malware from executing on a system by simply installing tools that it actively tries to evade?" In fact, it is not necessarily the tool itself, but a footprint of the tool that needs to exist on the system (registry entries created by the tool for example).
"Endpoint Deception"
The recent outbreak of WannaCry ransomware globally was covered extensively by the media not only for the damage that it caused, but also for the timely actions of an independent security researcher that potentially prevented thousands of systems from being infected. A kill-switch in the form of a domain name was hard coded into the malware, causing it to terminate without causing any damage if a successful connection to the domain could be made. Come to think of it, modern malware is embedded with multiple "kill-switches" that allow them to evade detection and analysis.
It would be interesting to explore if in addition to using hardware decoys, certain decoy indicators could be planted on endpoints to throw malware off-track. Malware variants trying to actively evade detection and analysis would terminate without causing any damage, if they have sufficient reason to believe that they are either being executed in a sandbox or being analyzed using common analysis tools. Not unlike indicators of compromise (IOC's) that are used to detect malicious activity, indicators of evasion (IOE's) could potentially be used to thwart execution and detect the presence of malware on systems. Additionally, EDR solutions could be leveraged to detect any attempts by such malware to enumerate known IOE's, giving incident responders a head start in their investigations.
With the expected convergence of End Point Protection and EDR technologies, headway into the endpoint deception space would afford organizations some additional protection against unknown unknowns.
Future Outlook
Of late, deception technologies that go way beyond their traditional call of duty have come into prominence. Systems that can emulate everything from web-applications and database systems to human beings are now a reality. Some of these solutions do not require any hardware to be deployed, instead relying on software based decoys to trap intruders and eliminating the potential attack surface introduced by traditional hardware decoys.
The market for deception technology is currently estimated to be at US$50 - US$100 million dollars, with the number expected to hit US$200 million next year. This is in stark contrast to the end point protection technology market, which stood at US$11 Billion in 2015 and is expected to cross US$17 Billion by 2020. It is therefore safe to say that as far as deception technologies go, we are only scratching the proverbial surface.
