ALLURE SECURITY BLOG

Poisoning the Well: Deceive and Disrupt the Phishers

To shift the balance of power and finally gain an advantage over phishing schemes, defenders need to disrupt the economic advantage of the attacker. This means creating enough uncertainty that the attacker has stolen anything of real value that they have nothing to sell on the black market. Perhaps they would abandon their scheme altogether. This strategy is where deception technology, a maturing market that has a lot more to offer than just honeypots, can be of real value to cybersecurity professionals.

Based on my decades of research on data breach detection and the behaviors of users, I’ve learned that preventative security isn’t enough. Defenders need a multi-faceted approach that includes detection, mitigation, and response to disrupt the attacker’s campaign. This involves deploying technology to facilitate a deliberate devaluation of stolen credentials to a point where the attacker is disadvantaged in conducting their phishing campaign. In other words, “poison the well” and spoil the cache of stolen credentials with fake decoy credentials. Allure has spent years developing a patented technology that is already deploying this mitigation strategy.

In the case of a targeted phishing attack, once a spoof URL has been detected, defenders can deploy deception techniques that leverage highly believable decoys. These decoys are indistinguishable from a real credential. A well-designed decoy makes it difficult for the hacker to tell whether they are looking at an authentic credential from a legitimate user or if they are looking at a decoy. 

Thanks to advances in machine learning, generating decoy credentials is easy and painless for defenders. Usernames and passwords are arbitrary and nearly impossible for a hacker to directly test as real or fake. Addresses, ZIP codes and even credit card numbers are easy to generate and position as real, stolen assets. Once a good decoy has been generated, deployment is easy to automate through the direct communication channel with the attacker. In this case, that’s the spoof website. The adversary sees the stolen credentials pouring in and believes they’ve been successful at luring unsuspecting victims to a highly convincing fake URL.

This use of deception techniques differs from traditional honeypots because there’s no need to place decoys in a public source and hope the attacker happens upon them. We can go straight to the source: the spoof URL set up by the hacker. Once the spoofed site is detected using Allure’s patented Beacon technology, defenders can automatically form-feed the spoofed site with fake login credentials in the same manner that a phishing victim’s web browser automatically form-feeds real credentials to a real website. To the hacker, it looks as though a real victim visited the spoof website and entered their real login credentials. At least, at first. Once the hacker tries to do anything with these fake credentials, such as log into the authentic website they spoofed to gain access to an individual account, they will have given up more information about themselves. 

Using deception techniques to secure sensitive data and stop the deluge of large-scale breaches caused by orchestrated phishing attacks is in everyone’s best interests: companies, employees and of course, customers. They are the real victims in most phishing attacks, and legacy approaches to anti-phishing largely ignore them. 

Imagine a world where a hacker thinks twice about launching a spoof website designed to steal credentials because they know that deception technology is so widespread, they cannot be sure they will be able to steal anything of value. Modern deception technology has the capability to achieve this. 

To find out more about how the Allure Security platform not only detects phishing attacks faster but shuts down hackers by stuffing spoof websites with decoys, request a demo today.

Posted by Salvatore Stolfo on Oct 31, 2019, 3:10:45 PM
Salvatore Stolfo

Salvatore Stolfo

Salvatore Stolfo is a tenured Columbia University professor, teaching computer science since 1979. He is the co-founder and CTO of Allure Security. Dr. Stolfo has been granted over 47 patents and has published over 230 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, NIST, and DHS.

Topics: cyber security, detection and response, deception technology, website spoofing

Related posts