Attackers don’t play fair. Neither should you. Matthew Pascucci 3 May, 2016 We’ve all heard sports stars and even militaries quote the famous Chinese general Sun Tzu when preparing for a big game or battle. Sun Tzu was a master strategist and completely grasped the concept of deception when facing an opponent. One of the best quotes in his famous book, “The Art of War” regarding deception goes like this: “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” This man understood the benefits of deception in order to win; plain and simple. In our case the battle is for our data and it’s currently under attack. Let’s discuss this ideology a little more from the stance of data security. Let’s get something out before we start here – Deception isn’t an active blocking technology. It’s not going to stop attackers from breaking into your network and it sure isn’t going to proactively stop attacks from occurring. With that being said, you need it, maybe more than ever. Why is that? Because your defenses aren’t working and by using deception in your network it gives you the best opportunity to control the damage post-breach. With deception, you write the rules and lay traps for attackers as they actively scour for your data. It’s much harder to bypass deceptive technology when the decoys mimic genuine data or systems. The bad guys only have to mess up once and the trap is sprung. We see attackers use deception all the time: spoofing, stolen accounts, phishing, rootkits, etc (to name a few), so why aren’t we doing similar tactics to confuse and misdirect them from stealing our data? There are many different types of deception, but for this article we’re focusing on data deception. In order to lay a trap for an attacker using deception in your data you must first understand your data. The first rule of deception is laying a trap that looks real. If the decoys don’t look genuine you’re not fooling anyone and this will spook experienced attackers to hide deeper in your network. If you’re using deception to protect data you need to ask yourself these three questions before laying decoys: What is your sensitive data? Where is your sensitive data? Who has access to sensitive data? Understanding these three questions will allow you to start setting effective deception within your data and network. If, however, you can’t answers these questions you’ll be laying decoys in your network that “look and feel” wrong and will potentially tip off an attacker. No one wants that. You have to do the leg work up front before actively deploying deception techniques to protect your data. Your diligence will pay off. When it comes to using data deception as a defense there are a few techniques which can be used to alert when an attacker, either internal or external, is attempting to compromise your data. There are many vendors available now with assisting with this and making it easier, but here are a few areas that you can use now to assist with deception in your data: Determining sensitive areas in your network where data’s at rest is very important. Setting up entire shares in these directories with auditing and logging enabled will assist for additional alerting for the decoy data. These shares need to look real with the fake data being enticing enough for attackers to want to skip through and steal it. On a similar note, having production data and file shares “sprinkled” with decoy data is another method to determining if someone might be reviewing decoys in your environment. Every time a decoy file is accessed that user has the potential to be an attacker trolling through your network. Being able to pull logs or run reports on user access will allow you to start investigating the account that accessed the decoy data in more detail. Having the ability to see the files a user has touched in the past is extremely important. Setting up decoy data in files that will be used elsewhere in the network. An example of this is creating a “decoy password file” with decoy accounts that can be monitored to determine if someone’s logged into them. If this is the case you know for a fact that you have someone looking to poke through your network with an account they’ve found on the network. This is very suspicious and these accounts should be active, yet limited, and highly monitored for login events. Stamping files with keywords being monitored by your DLP solution to notify you that a decoy was moved. For example, dropping a decoy file in a share with a code word (E.G “Snoopy vs Red Barron”) in white text on a white document. The attacker isn’t going to see that text, but the DLP solution will trigger when it’s egressing the network. There’s no reason that this file should leave the network and many times attackers smash and grab entire directories to steal. You’ll catch it on the way out, but you’ll still catch it. As I said, deception is post breach and used when all else fails, which is possible. There are other methods of deception in data, as well as some that might be unique to your business (Using fake accounts, fake databases, unused email addresses, beaconing files that alert when opened), that are all ways to use your current data as a “Canary System” when it comes to alerting on malicious data use. It’s not hard to do, but could tip you off that an attacks happening, or about to happen. These are methods of protecting your data without spending money on pure deception technology (which you should look at!). It all comes down to knowing your data, setting up decoys that impersonate real data and having a good alert system put in place for when the traps is sprung. There are other areas of deception, including network, system and application, so it doesn’t stop at data. The attackers aren’t playing fair, neither should we. Let’s use deception in our data to misdirect, confuse and guide attackers towards our benefit. At the end of the day it comes down to psychology. Attackers base their attacks on trust and if we can get in there heads it gives us the best opportunity to defend our data. Let’s do it!