Decepticons. Those of you from Generation X will remember very well who they were: the fictional faction of modular robotic life forms with mechanical self-configuration of the planet Cybertron led by Megatron, and they are the main antagonists of the fictional universes of Transformers. Without realising it, we were already talking about Decepticons and self-configuring robots in the 1980s.
The current situation of the Covid-19 pandemic has forced us to be confined to our homes and, therefore, we have been forced to work from home. The virus has changed the way we use the Internet and web traffic has increased by 70%. From a social and psychological point of view, we are all under social and emotional stress – which is quite normal in this type of situation.
These circumstances become the perfect scenario for cybercriminals, who more than ever are trying to take advantage of it to achieve their goals and get money or something that will allow them to get it (information, generally).
What Does This Have to Do with Decepticons?
Decepticons fit very well into this “new reality”. Considering that cybercriminals are increasingly using social engineering to deceive us, especially phishing (the most prominent form of cybercrime according to the FBI Cyber Crime Division), we must be cautious, especially in these times when we are most distracted because of the pandemic. So, if cybercriminals are using deception as their main weapon, why shouldn’t we?
Among all the techniques and strategies we have adopted in the field of cybersecurity, one of the most important is “deception”. In the military field, this term is used to describe those actions carried out with the aim of deceiving adversaries about the capabilities, intentions and operations of their own military forces, so that they draw false conclusions.
The United States military doctrine uses the acronym MILDEC (MILitary DECeption), and the former military doctrine of the Soviet Union and now of Russia uses the term Maskirovka (in Russian: маскировка), which literally means camouflage, concealment, masking.
A Few Historical Examples
There are numerous cases of the use of this technique in different situations of conflict or war, such as the mythical Trojan horse used by the Achaeans as a strategy to enter the fortified city of Troy; or as in World War II, when a ghost army deceived Adolf Hitler with an itinerant procession of tanks, cannons and planes (largely crewed by actors and artists) impersonating the Allied Army near the front line. This diverted attention away from U.S. troops, separating German forces and giving the Allies a tactical advantage.
In an episode of the well-known Vikings television series we see how Ragnar Lodbrok also uses a clever strategy to enter Paris, pretending to be on the verge of death and requesting a Christian burial in the cathedral. Once inside and to everyone’s surprise, Ragnar comes out of his coffin and […] What happens next is a spoiler. This episode actually happened, according to the Viking sagas, although the main character was not Ragnar, but the one who would later be King of Norway, Harald Hardrada (Harald III of Norway).
Deception and Honeypot, Are They the Same?
In our blog we already talked about deception, and Nikos Tsouroulas explained it very well:
These approaches allow us to deploy false scenarios simulating infrastructures, assets and profiles within our organization to misdirect an attacker towards a controlled and monitored environment, where they will face new challenges and difficulties along an attack tree designed specifically on the basis of the nature of each organization. By doing so, we manage to lead the resources of an attacker towards a false infrastructure, while our real assets are protected, so we manage to obtain intelligence from the adversary (indicators about their C&C, tools used, capacities, motivations, etc.)
In my last fieldwork before the pandemic, I had the opportunity to work with the technology developed by the colleagues from CounterCraft (Spanish company selected by Telefónica in 2016 to invest and support its expansion) and I was amazed at how far this type of platform had come.
Probably, a term they did know and which is closely related to this approach is “honeypot”. It is a bait that can be used with any technology, most commonly in a web server. There are many open-source solutions that allow you to do this at a very low cost, but deception is a broader concept than just a bait.
Before 2010, there were only a few cybersecurity companies offering deception products, but thanks to the great evolution experienced by this type of platform, I dare say that today there are already more than 15 deception technology providers.
These types of solutions can be a great accelerator for detection and response teams, as they generate alerts that security departments can use to react and respond in a more accurate and timely manner. In the face of the new cybersecurity challenges that companies are facing during this health crisis, CounterCraft has prepared specific security packages, and has a portfolio of 25 ready-to-use deception campaigns: phishing, data exfiltration, SWIFT attack, lateral movement detection, etc.
We should not forget what Gartner said some time ago: deception is simple and economical, increases detection time by 12 times and improves dwell time by over 90%. What I like about this solution is that it combines advanced intelligence, collected by the campaigns and enriched with MITRE ATT&CK, so that you can have a broad view of what, who and how you are acting against the organisation. This way, we can get threat, TTP and IOC data from adversaries that can be shared immediately with cybersecurity solutions such as SIEM, SOAR, MISP, Sandbox, among others.
Ultimately, I have to say that deception in the field of cybersecurity is a means of staying proactive rather than reactive. We are trying to make this battle more symmetrical, so this time we must not only support the Autobots, but also join the Decepticons.
All warfare is based on deception.Sun Tzu
It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.Charles Darwin