We’ve covered how folks have used deception since ancient times – without touching on all the other ways we use deception daily – the lies we tell our lovers, bosses, and, perhaps most perplexing, the ways we deceive ourselves. While some lies are intended to protect others (your childhood dog probably did not get adopted by a nice family on a farm) or preserve relationships (those jeans might actually make you look fat), most people want the truth – or at least don’t like knowing they’ve been deceived.
Modern thinkers debate the utility (and ethics) of lying in our personal lives, including the ego-sparing “little white lies”, but using deception to safeguard your assets is considered good security. It’s a defense technique long employed across the animal kingdom from humans to spiders.
And while deception as security isn’t new, the concept has been rebooted for the virtual world. Attackers have become more sophisticated and companies are beginning to realize there is no perimeter that will keep them out. Security pros who’ve been around the block know this and have been researching what to do when an outsider gets in. Enter deception security.
Too Legit to Quit
Deception technology broadly covers a number of technologies designed to achieve the same goal: make it harder for attackers to get access by misdirecting, lying to them, or even faking out using decoys. Decoys aren’t a new concept in infosec. Many deception technologies, like the widely used honeypot, are based on setting up decoys or traps to detect attackers. The new wave of deception technology has even expanded to include decoy media of all kind, from file systems, to endpoints, documents, credentials and users to name a few, and it’s more about prevention than passive detection.
The use of decoys in deception presumes that attackers will get in or will make an effort to steal what’s valuable, since value is inherently enticing. So imagine you wanted to transport a 3,106 carat diamond from South Africa to England as a birthday gift to Henry VII, a gift that had been publicly announced through the social media of the day. How would you ensure its safe arrival, especially when everyone knew the route and departure? The ship set out for London carrying a decoy stone. The real deal was sent by mail.
In the real world, attackers know how to get around security systems and aren’t so easily deceived by fakes. No matter how clever we think we are by hiding our goods – diamonds in the safe & CZ in the jewelry box – attackers are better at thinking like us than we are at thinking like them.
This extends to the virtual world, where we store sensitive files out in the open and marked for easy searching – especially when you need to find last year’s tax returns.
What makes a cyber invasion different than a home invasion is that generally we know when something has been stolen from our home – perhaps the door was ajar or something was out of place. But chances are you might not know when your system has been attacked or if sensitive data was copied or stolen. This is why deception – and thinking like an attacker – can help secure your personal data. By populating your file system with decoys – like fake 1040’s – or adding “beacons” to real sensitive data, you can not only track if anyone’s poking around your digital assets, but also increase the likelihood that an attacker will give up or abscond with useless fake data.
Lie to Me
When designing deceptive security, you have to think like an attacker, not a defender. First, try to imagine what an attacker’s after. They probably aren’t so interested in family vacation photos or your college thesis, but a folder full of every tax return you’ve ever filed yields top dollar on the hacker market. Understanding what kind of information entices attacker will help you understand what data to protect. And understanding what kind of sensitive data is most vulnerable is the first step in creating effective decoys.
If an attacker has breached your system, they’re probably smart enough to bypass your Fakey McFakerson resume and bank statements. If it doesn’t fool you, it’s probably not going to fool an attacker. We’ve studied and tested what makes decoys both convincing and effective as security. Below we look at the properties that make a decoy effective within the realm of data and documents, though these attributes apply to decoys in other mediums.
Hacker Bait: What Makes a Decoy Realistic
Perhaps one of the most important qualities of a decoy is whether or not it seems real. A good decoy will seem authentic, making it harder for the adversary to discern its authenticity.
A decoy should appear enticing to an adversary, which means documents should have bogus, but realistic, information the adversary might want.
Conspicuous decoys should be easily found or observed. A conspicuous decoy is similar to enticing but differs in how the information is found. Conspicuous documents are found because they are easily observed, whereas enticing documents are chosen because they are of interest to an attacker.
To know when someone’s gotten in, a decoy must be detectable, which means it should sound an alert if touched.
If all decoys have the same property, they’ll be easy to sniff out. Decoys should be highly variable to make it harder for the adversary to separate the real from the fake.
The average user keeps x files online and % of those files contain sensitive information. To operationalize the use of decoys in a system, it should not interfere with normal use or get in the way of legitimate users.
While decoys should be believable to the attacker, they should also distinguishable to the legitimate user. A decoy is considered differentiable if the legitimate user always succeeds.
The Power of Deception
It’s been well established that perimeter security just doesn’t cut it anymore and that any well-designed system should have many layers of security, or a defense-in-depth approach. Deception should be one of those layers. By using decoys as part of your defense strategy, you change the balance of power between the attacker and defender. It’s no longer what you see is what you get; the attacker has to discern between real and fake data, which is hard to do if you’re created realistic decoys. Imagine if the Sony hackers had dumped decoy email logs online – the only people who would have been embarrassed would have been the hackers themselves. That is the power of deception security.
Deception is both a complex human behavior and a powerful tool for security. Make it harder for a hacker to get your data and they’ll likely give up. But we don’t recommend deceiving your loved ones. Not if you want them to stick around.