Reflections Upon Deception and Protean Security Tactics

I’ve been pondering the use of deception and variability to slow down and misdirect computer attackers. Honeypots have been discussed in this context for some time, yet they’ve failed to take off as mainstream components of a security architecture. Perhaps now is the time when a new set of tools and people can reignite an interest in this aspects of information security. I believe this area is ripe for innovation.

Non-Computer Deception

Looking at how deception was used during World War II can set the stage for the common forms of such tactics. According to a paper by Donald J. Bacon, Allied Forces to confused and misdirected the enemy by incorporating ambiguity and misdirection into their operations. The paper also attributes many Soviet victories during the war to the full integration of deception into operational planning and execution.

Early Examples of Deception for Computer Security

A historic perspective on the use of deception for computer security comes from the account of Gene Spafford of his work during 1989-1993. Gene describes the “active defenses” he employed to identify attacks in progress, slow down attackers, learn of their techniques and feed them fake data. His approaches included:

  • Fake user accounts that had access to fake data that was kept current
  • “Bait” files that looked attractive to intruders, but weren’t accessed during normal operations
  • Service emulators that would process connections very slowly and generate fake errors
  • “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded
  • Altered programs that, when used by the attacker, included beacons and other unexpected features

Gene believes that “too few defenders these days build forensics capture into their systems to help identify intruders. They also don’t have active defenses, countermeasures and chaff in place to slow down attackers and provide more warning of problems.”

The Use of Honeypots

Many of the deception techniques discussed by Gene were implemented later through the use of honeypot tools. Around 1999, Honeynet Project came into existence, infusing innovative thinking into such ideas and approaches to discovering attacks and learning about attacker’s capabilities. The most comprehensive commercial product in this space at the time was, probably, ManTrap by Recourse Technologies. The company was acquired by Symantec in 2002, but was discontinued a few years later.

The idea of honeypots seems to have faded into the background, as people were reluctant to deploy them on production networks due to support costs and risks and low perceived value. Yet, people continued to make specialized honeypot tools, as is evidenced by the likes of Nepenthes—a free tool for detecting and capturing malware. Other tools include Kippo for SSH, Glastopf for web servers, Jsunpack-n for web clients and InetSim for various network services.

More recently, John Strand has been exploring the use of deception in the context of offensive countermeasures. For instance, he showed how a small script can be used to automatically shun the attacking IP address that tries to connect to a decoy port on Windows and on Linux. John also demonstrated a free tool called WebLabyrinth by Ben Jackson, which is designed to confuse and slow down malicious web crawlers.

Deception as a Larger Defensive Capability

My goal is not to present a history of deception tools, but rather to offer a few data points regarding how, if at all, these technologies have evolved. As you can see, our tools today aren’t far removed from the early ideas implemented by Gene Spafford. Here’s my take-away:

Deception tools and approaches won’t go beyond niche tools and won’t gain mass appeal until we find a way to integrate honeypot capabilities into the overall IT infrastructure. Some day, the notion of a honeypot persona might not even sound too strange.

One of the lessons in the use of deception during World War II is that to be successful, such efforts cannot be one-off projects. They have to be centrally managed and integrated into the fabric of operations. I’m reminded of this by Gene Spafford’s use of the term “active defenses” and by John Strand talk about honeypots in the context “offensive countermeasures.” (Not just “honeypots.”)

Protean Security and Cloud Computing

Perhaps the increased use of cloud-based services will make it easier to incorporate deception into IT infrastructure. Mike Rothman described the idea of HoneyCloud, which would be used to deploy deceptive and protean technology elements into a private cloud to minimize production risks. Moreover, I think the biggest advantage of cloud technology is its elastic capabilities that, combined with support for automation can allow an organization to integrate deceptive and protean capabilities into the fabric of its IT operations. There’s room for innovation there, and that’s very exciting.


About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more