What seeds should I deploy, and where?
The most effective deception campaigns are those driven by your risks, issues and requirements
In the ever-evolving landscape of cybersecurity, staying a step ahead of cyber threats is not just a goal; it’s a necessity. At seedata.io, we understand this better than many. That’s why we’ve dedicated ourselves to providing cutting-edge solutions that empower you to outsmart potential attackers. But, let’s be honest – having the tools is just part of the battle. But it all means nowt if our users don’t know how to use it.
This post will guide you through the questions you need to answer to design a deployment model that relates directly to your organisation.
When it comes to implementing a deception strategy within your cybersecurity defence, it’s important to consider:
- The adversary’s tactics and techniques: Understanding the adversary’s methods will help in creating effective deception assets that are likely to be interacted with.
- Your network architecture and assets: Placement of deception assets should be strategic, ensuring they are in locations where an adversary is likely to encounter them during their attack lifecycle.
- Goals of the deception strategy: Whether it’s for detection, misdirection, or wasting the adversary’s resources, your goals will dictate the nature of the deception assets you deploy.
Here’s a step-by-step approach to guide you through this process:
Step 1 : Set your scope
If you’ve not already, you should start by familiarising yourself with the MITRE ATT&CK framework. It’s a comprehensive knowledge base that outlines various tactics, techniques, and procedures (TTPs) used by adversaries. Start by identifying the TTPs that are most relevant to your organisation. These could be based on past incidents, common threats in your industry, or known tactics used by attackers targeting similar organisations.
The MITRE ATT&CK framework categorises TTPs into tactics like Reconnaissance, Resource Development, Initial Access, and many more, providing a structured way to understand how adversaries operate.
Full details are available here: https://attack.mitre.org/
Step 2: Define your strategy
Now switch your attention to another framework, MITRE ENGAGE. This one describes how cybersecurity teams can implement strategies for adversarial engagement, through denial and deception, to disrupt or learn more about an attack. It provides great resources like playbooks and worksheets to help plan and execute your deception strategy effectively, taking your ATT&CK TTPS from the previous step as an input.
Full details are available here: https://engage.mitre.org/matrix/
By entering your ATT&CK TTP’s, you will be provide a list of “Activities“, that fall within different “Approaches“, that deliver certain “Goals” (these being the terms used by ENGAGE).
Step 3: Select your assets
This involves turning your intended strategy into specific deception asset choices, and customising them to suit your environment. We offer different families of assets to cater to different execution use cases, and different profiles of assets that act as customisation to allow the assets to blend seamlessly into your existing infrastructure, making them more convincing to attackers.
More details on our asset families are available here: https://www.seedata.io/features/seeds/
For example, you may want to deploy an asset from our “Infrastructure Assets” family, to act as a lure and help you in your “Collect:Network Monitoring” strategy execution, and you may then select our Linux 5.0 profile so that this asset blends in with your wider environment.
We map our assets into the MITRE ENGAGE framework in the following way:
ENGAGE Activity | Application Assets | Credential Assets | Data Assets | Infrastructure Assets |
COLLECT: API Monitoring | y | y | ||
COLLECT: Network Monitoring | y | |||
COLLECT: Software Manipulation | y | |||
COLLECT: System Activity Monitoring | y | y | y | |
DETECT: Introduced Vulnerabilities | y | y | ||
DETECT: Lures | y | y | y | y |
DETECT: Malware Detonation | ||||
DETECT: Network Analysis | y | |||
PREVENT: Baseline | ||||
PREVENT: Hardware Manipulation | y | |||
PREVENT: Isolation | ||||
PREVENT: Network Manipulation | y | |||
PREVENT: Security Controls | y | y | y | y |
DIRECT: Attack Vector Migration | y | y | y | |
DIRECT: Email Manipulation | y | |||
DIRECT: Introduced Vulnerabilities | ||||
DIRECT: Lures | y | y | y | y |
DIRECT: Malware Detonation | ||||
DIRECT: Network Manipulation | y | |||
DIRECT: Peripheral Management | ||||
DIRECT: Security Controls | y | y | y | y |
DIRECT: Software Manipulation | y | |||
DISRUPT: Isolation | ||||
DISRUPT: Lures | y | y | y | y |
DISRUPT: Network Manipulation | y | |||
DISRUPT: Software Manipulation | y | |||
REASSURE: Application Diversity | y | |||
REASSURE: Artifact Diversity | y | |||
REASSURE: Burn-In | y | y | ||
REASSURE: Email Manipulation | y | |||
REASSURE: Information Manipulation | y | |||
REASSURE: Network Diversity | y | |||
REASSURE: Peripheral Management | ||||
REASSURE: Pocket Litter | y | |||
MOTIVATE: Application Diversity | y | |||
MOTIVATE: Artifact Diversity | y | |||
MOTIVATE: Information Manipulation | y | |||
MOTIVATE: Introduced Vulnerabilities | y | y | ||
MOTIVATE: Malware Detonation | ||||
MOTIVATE: Network Diversity | y | |||
MOTIVATE: Personas | y |
Step 4: Deploy into the right location
When asked why he robs banks, Willie Sutton replied “because thats where the money is”. You should have this in mind when choosing the location of your campaign.
Your adversaries will be trying to get to “where the money is”, so you should litter their route to it with deception assets, with the goals of exposing their attack, affecting it, and eliciting intelligence that will help you better defend your organisation.
For example, you could plant linux servers running a web-server on your network perimeter, to gain intelligence on attack traffic originating from the internet. You could also plant some AWS credentials within your developer repos to detect any malicious actor with existing access. You could also plant Person seeds within your customer database to disrupt attempts at data misuse and detect incidents of data theft.
There’s no hard rules on this stage; you know your environment and network best, but remember that internet facing locations will inherently provide more signal with lower quality.
Step 5: Choose the required size of your deployment
This is an art rather than a science, and will depend on your answers to the previous steps. Basically, you want to plant ‘enough’ seeds to stand a chance of detecting malicious behaviour, but not so many your seeds become obvious. It’s also not a question of this being a question you get right first time. Make your best guess, then monitor and adapt (as in, do step 6, and return back to step 5 with a tweak based on your results). Some principles that will help you come to an informed estimate;
– It’s highly unlikely you’ll ever need anything more 10% (seeds to non-seeded assets) dilution.
– It’s equally highly unlikely that just one seed would be sufficient to capture all activity
– More seeds will produce more signal. Some of this signal will be correlation of signal seen on other seeds, whilst some will be unique
– Many seeds of the same format may start to look obvious and become easily avoidable
– Many seeds of many different formats helps to increase confusion and mistrust within your attacker, slowing their activities
Step 6: Monitor and Adapt
Cyber threats are constantly evolving, and so should your deception strategy. Regularly review your current strategy’s results, and update your understanding of TTPs and how they map to your deceptive assets. This continuous adaptation ensures that your deception strategy remains effective against new and emerging threats.
By following these steps and leveraging the resources provided by the MITRE ATT&CK and Engage frameworks, you can strategically choose and deploy deceptive assets that effectively counteract the tactics used by adversaries targeting your organization. This approach not only enhances your detection capabilities but also adds a proactive layer to your cybersecurity defense.
CoPilot is coming!
One of our most important priorities is to make the potential benefits of deception available to everyone in a simple to use platform. We recognise that not everyone has the time and experience to go through processes like this, So we are actively building out our “CoPilot” feature.
This will launch soon, with the intention of guiding you to the most effective deployment for your needs, based on your responses to a few simple questions.
We have future plans to evolve CoPilot to become more proactive, by monitoring your existing deployments and collecting data from your environment so that our platform can make suggestions for effective deception campaigns without no user input required.
Stay tuned for future updates.