Given the fact that Working From Home (WFH) is now going to become the new normal, many businesses across Corporate America are now trying to figure how the best ways are to harden and further fortify their lines of defenses against Cyberattackers and the various threat vectors that they are attempting to launch. Granted this is no easy task, as there will be no uniform set of standards or best practices that can be implemented.
The primary reason for this is that each remote worker will be using their own home network in order to connect to the company Internet, and from there, attempt to gain the shared access that they need in order to conduct their daily job tasks.
Because of this, the IT Security teams will have a much harder time trying to ascertain if the devices that the employees are using are up to snuff with the current Security Policies that have been put into place.
It is not that the tools are not available to do this, it comes down to a matter of privacy. Remember, we are guaranteed by our Constitution certain privacy rights, and this is one of them. The only way that a company can truly inspect a home network is if they get a court order or get voluntary permission by the employee. The latter will only happen unless they are threatened with job loss.
So, as you can see, this is one of the major pitfalls of WFH that still needs to be fully addressed, before any assurances of true Cybersecurity can be guaranteed, if any at all. While Corporate America is still scratching its head trying to figure all of this out, the Cyberattacker is taking prime time advantage of all of this, by penetrating into the back doors that are left wide open by these home networks, and from there, trying to gain access to the corporate network infrastructure.
So, a key solution here is to somehow try to convince the Cyberattacker that they are hitting into a real target, when in reality, it is just a fake one. The primary purpose of this to simply add more confusion to the Kill Chain, so that it takes a longer time to get to the proverbial “Crown Jewels”.
The premise here is that if it takes longer, the Cyberattacker will more or less give up in frustration.
In the world of techno jargon, this is known as “Deception”. So, what are some of the ways in which a company can do this? Here are some of the top ways, on a shoestring budget, which many companies these days are now facing. Here we go:
*Make use of real systems:
This is sort of a no brainer, but the key takeaway here is that do not go out and buy a new piece of hardware or sacrifice the security level of your current Cloud Infrastructure by creating another Virtual Machine. Instead, make use of the hardware that you already have, especially if you are planning to de commission it at some point in time down the road. It is also important that this piece of hardware and its associated software actually look like that it is part of the overall production environment of your company. In other words, you want everything to look seamless so that the Cyberattacker cannot tell what is for real and what is fake.
*Make your systems have some perceived value to the Cyberattacker:
In this regard, make your soon to be deprovisioned server looks like that it contains a wealth of information and data that the Cyberattacker is primarily after – namely the PII records of your employees and customers. Of course, you do not want to put the real thing up, so simply use some creativity and make up fictitious PII datasets and records. Keep in mind that passwords are still and will be one of the most favored assets that the Cyberattacker is also after, so also establish some phony network admin or IT Security accounts in order to pique their curiosity just a little bit more.
*Put up Endpoint Devices that are not really being used:
With the current WFH atmosphere, Corporate America is still obsessed with only fortifying the network lines of communications between the devices of the remote worker and their servers upon which the shared resources reside at. In this, securing the endpoints, which are points of origination and points of destination very often go neglected, though many CIOs and CISOs are now fully realizing the importance of this. As a result, this too is a crown jewel for the Cyberattacker. So, while you are in the midst of putting on extra layers of security on these various Endpoints, why not put some extra ones that will not be hardened, and appear to be out of the norm? For example, you could put such devices as CCTV cameras, motion detectors, and even various IoT related devices. Even if you do not already have these, you can probably purchase them for ridiculously cheap on places such as Amazon or eBay. But remember, by mistake do not connect these kinds of devices to your IT or Network Infrastructures!!!
*Make good uses of your Deception strategies:
Although the primary intent of using Deception tools is to lure the Cyberattacker from your real digital assets, you should also take advantage of the other benefits it offers as well. For example, you should connect these phony devices to your Security Information and Event Management, or “SIEM”. By doing this, you will also be notified in real time if somebody is actually trying to hack into your systems, and from there, you can track them down before any real damage that happens. In other words, you are trying to create a “Honeypot” of sorts, in order to lure the bees and analyze their behavior. So why not do the same for the Cyberattacker? Instead of risking real assets, you are only sacrificing the phony ones. But in this regard, it is important to have a trail of breadcrumbs that will lure the Cyberattacker into these fake targets of interest. In other words, with this particular approach, you are trying to make an early warning detection system. But the key here is to think like an actual Cyberattacker and lay out the appropriate breadcrumbs for what they may be after. In this instance, in order to get a quick ROI on this, you may even want to hire an ethical hacker to help you out with this.
*Keep your Deception strategy updated at all times:
Just because you have deployed fake devices does not mean that you do not have to refresh the data and information that they contain. The Cyberattacker is particularly good these days at detecting those digital assets which have literally gone “stale”. In order to do this, keep your fake devices updated on a regular basis, and make them look lively as well. In other words, make them look like that they are interacting with something in your production environment at all times. Do not just let them simply sit idle for any extended periods of time. In fact, updating and refreshing your Deception based tools should also be a part of your overall Security Policy as well.
My Thoughts On This
In the end, the use of Deception tools is nothing new, it goes back a way long time, possibly even decades if not more. In fact, according to a recent research survey that was conducted by Mordor Intelligence, the Cyber Deception Tool market will have an estimated value of at least $2.5 billion by 2025, if not more. More information about this study can be downloaded at this link:
But it is important to keep in mind that simply putting up fake and phony devices in order to lure in the Cyberattacker is just one part of your overall Cyber strategy. You still have to keep beefing up your lines of defenses and keeping up with all of the needed software patches, upgrades, and even firmware upgrades as well. But as mentioned, this is hard task to achieve at the present time.
In the meantime, putting up these kinds of rogue devices will buy the extra time until your IT Security team can completely figure out how to make your remote workforce as safe as possible from the Cyber threat landscape.
But remember this one last thing: The use of Deception tools will only work so far. The Cyberattacker is now being very patient when studying the profiles of their intended victims before they make their move in. With this in mind, they will know over time what is a real asset and what is a fake one. So just do not rely upon this tactic only.