The Art of Deception
Last week I posted an ad on Craigslist, and within a few minutes, I had a bite. I received a text from an out-of-state phone number, and the sender wrote that he wanted to call me via a Google voice number. The sender, who we will refer to as “he,” mentioned a text would come in from Google, and that I would need to provide him with the PIN that showed up. I know how PINs normally work, so I instantly thought this was odd. Upon further investigation, I began to understand the scam in more detail. In this attack, the scammer was attempting to get me to give him a PIN that was sent from Google. This PIN would allow him to forward my number, and the calls that come to it, to his own Google Voice number. As a cybersecurity professional, I am often impressed by the various types of scams that I see.
Deception is rampant in many areas of our lives, but probably nowhere is it so prevalent as it is in the digital domain. I’ve read several articles in the past few months that reference Sun Tzu’s book The Art of War, which emphasizes the art of deception for both offensive and defensive use. On the offensive side, we see our clients’ team members struggle with phishing emails and social engineering attacks. The problem is compounded with targeted attacks toward an individual or a limited group of individuals through more personalized attacks, such as spear phishing and whaling. Once a user is tricked into clicking a link or opening an attachment, the results can be lethal to an organization. In May of this year, Trustwave stated that in 2017 only 2.1% of spam was made up of phishing attempts, but phishing still causes an inordinate amount of problems. In fact, the Verizon Data Breach Investigations Report found that 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
Although deception has a negative connotation, we often use it in our lives in beneficial ways. I’m an avid archer, and I enjoy shooting at targets as much as I enjoy chasing deer in the fall and wild boar whenever I can. In the field, I use camouflage to hide in plain sight. I have multiple camouflage patterns based on my location’s surroundings, whether that be forest, desert, or snowy mountain. As the environment changes, so too does my camouflage attire. Similar to camouflage patterns, a company’s information can hide in plain sight through deception technologies. There is another component to deception: show the false and make it seem real, confusing the attacker. In my hunting scenario, this would be the use of decoys and appropriate scents to attract game. I’ve found success with these deception techniques. We also can use deception to protect us in cyberspace.
“The Devil Does Not Exist” is the title of a presentation delivered by Mark Mateski and Matt Devost at Black Hat 2014. It paints the perfect picture for the use of deception in technology. I was fortunate to get to go to Black Hat and DEF CON this year. I was intrigued by how broad counter-deception technologies are being used to increase capabilities for organizations to detect and shape the path an adversary will take while decreasing the chances of false positives. Humans are generally easy to exploit because of the way we’re wired, and attackers know that. Yet, attackers are also human, and they will also fall victim to this human trait. It’s easy to think that the bad guys have the advantage, since they only have to succeed once, while us defending against their attacks have to be right every time. Deception technology is helping in this by providing a minefield of attractive decoy systems within organizational networks. Modern defensive platforms lay traps, a.k.a. breadcrumbs, to lure attackers toward fake assets. As an attacker attempts to navigate its target and scoop up the breadcrumbs, high-fidelity alerts are sounded warning that attackers have breached perimeter security controls.
Consider an analogy. A burglar finds a target he thinks is lucrative. He breaks into a mansion and sees exquisite jewelry and amazing artwork all around. He’s terribly excited and thinks he’s hit the motherload, and he begins to take all he can. What he doesn’t realize is that he’s not in the real mansion but in a fake room; the jewelry is costume, and the artwork is counterfeit, albeit very good forgeries. Furthermore, his entrance has been detected, his identity is being researched, his strategy is recorded, and his entry may lead to his capture.
I had intended on ending this article with some cool ideas about how defensive deception could be used in everyday life, by regular computer users, to throw off would-be attackers, but the solutions are either too expensive or require too much time. As an example, consider the bogus Microsoft tech that calls claiming he’s trying to fix a problem on a particular computer, when all he really wants is access to my system. I could spend an hour with this attacker, having fun and keeping him frustrated so he can’t call anyone else, but my time is too precious. It’s far easier to yell a few choice words and hang up. Instead, I will offer a few important cybersecurity practices that will help keep you more secure at home and at the office and help prevent you from falling for deception:
- I like the term “situational awareness.” Pay attention to what’s going on around you, and if your gut is telling you something is off, it probably is. Take the extra minute or so to allay your fears before clicking on a link in an email, even if it’s from someone you know. There is always a chance that an account has been compromised or is being spoofed, and the sender of the that email is not the person you think it is. A quick phone call can save a lot of grief.
- Some ways to keep your online accounts safer: never reuse passwords and never sign into various accounts with Google or Facebook credentials. Always use two factor authentication. Every barrier you create between an attacker and your account lowers the likelihood of a breach. Use a password manager, and make sure the password to this manager is airtight. Until passwords become obsolete, and we’re all anxiously awaiting that day’s arrival, these steps will ensure an attacker has more difficulty in compromising your accounts.
- Be mindful about what you put on social media. Seemingly benign information, such as birth dates, favorite foods, and vacation updates can be used for social engineering attacks. This information too, can be used to compromise security questions.
- Human Resource personnel especially need to be aware that any job information posted on a company website can be used to facilitate targeted spear phishing scams, esp. job description, network details, org charts, and out-of-office details. At TriCorps, we use this information during our penetration testing and often come up with some very useful information that helps give us an edge.
Deception is a strategy that gives the deceiver the advantage, and it has been used for years by attackers. As the frequency of cyber attacks and intrusions continues to grow, better defensive tools are required. Consequently, counter-deception in gaining in popularity and is proving to be an effective way to force adversaries to move slower, expend more resources, take greater risks, and turn their attention away from real, valuable data, and toward fake, disposable data. In the end, hopefully defenders can effectively use deception to become more successful at stopping these attacks and detecting cyber intrusions earlier.