Advancing Zero Trust Maturity Through Cyber Deception

Adversaries are using AI to generate polymorphic malware and ransomware variants. The polymorphic variants dynamically generate custom offensive code for each execution cycle, use memory execution techniques and avoid command and control (C2) communication to evade detection through traditional sensors. In addition, advanced persistent threats (APT) use zero days to avoid detection.

A set of strategically chosen types of deceptions (decoys, baits, honeytokens) that are blended with the environment, made attractive for attackers to exploit and placed as an overlay on the critical assets, enables SOC teams to gain visibility into these evolving threats.  

Mature zero trust strategies need more than prevention-based controls like identity access management (IAM) and multifactor authentication (MFA) to detect and respond to identity-driven threats. Adversaries obtain access to credentials from credential caches on endpoints, from identity stores, and from infrastructure servers that constitute the identity architecture. Adversaries use client-side attacks, offline attacks, and identity zero days to stealthily compromise identities. Readily available penetration testing tools and offensive tools that target the identity architecture have lowered the bar for threat actors looking to perform identity-driven exploits. Adversaries use the credentials for lateral movement to gain trusted access to critical assets.

Traditional security sensors are unable to distinguish between legitimate and malicious usage of credentials. However, security teams can deploy identity honeytokens (deceptive user accounts, service accounts) in identity stores and on endpoints to detect identity-driven attacks.

Zero trust environments are based on the principle of verifying the identity and granting least privileged access to resources from a device/endpoint. Securing the device/endpoint is an important step to ensure the right device gets access to the resources. But organizations are challenged to secure unmanaged endpoints—those endpoints with no endpoint detection and response (EDR) or extended detection and response (XDR) sensor deployed. Organizations have several types of endpoints that aren’t compatible with EDR/XDR based sensors (e.g., legacy IT workstations or servers, bring your own device hardware, embedded devices such as printers and IoT cameras, and endpoints running custom OS versions).

Unmanaged endpoints are hard to patch due to limited access and legacy versions. This provides ready access for adversaries to compromise the endpoints through vulnerability exploits. Adversaries target unmanaged endpoints due to the lack of detection capabilities on the endpoint, providing opportunities to download and execute malware and spread across the environment.

SOC teams have limited and often no visibility to threats originating from unmanaged endpoints. To address this challenge, security teams can deploy deceptions to improve threat visibility from unmanaged endpoints as part of a mature zero trust implementation. Selecting the right type of deceptions—for instance, decoys impersonating unmanaged endpoints or baits on the endpoints—can help drive better security outcomes.

Adversaries target applications and data with vulnerability exploits to gain unauthorized access to sensitive data. Prevention-based controls are insufficient to protect applications and data, with over 20,000 unique vulnerabilities being reported every year, based on statistics from the vulnerability tracking database. Several of these are critical or high vulnerabilities. Patches often bring compatibility and stability challenges, creating long lead times for the patching process and creating a window of opportunity for attackers. As an example, the critical Log4Shell vulnerability that was discovered in December 2021 soon had a patch available, but organizations are still getting targeted by threats that successfully exploit unpatched systems.

Traditional sensors like EDR and XDR are endpoint-centric and are not aware of applications or data. Zero trust is anchored around protecting sensitive data and critical applications. Organizations can deploy deceptions (decoy applications and data repositories), blend these with the environment, and entice the adversary by projecting legacy or unpatched versions to create attractive targets in the eyes of adversaries. Baits and honeytokens can also be embedded as data deceptions in the standard data repository and applications. SOC teams gain visibility for threats targeting the applications and data as part of a mature ZTA implementation.

Sophisticated adversaries are disabling traditional security sensors to evade detection, a tactic known in the MITRE ATT&CK framework as “defense evasion.” Adversaries obtain initial access to an endpoint and escalate privileges through a set of offensive techniques to gain administrative control over the endpoint. Adversaries use the administrative privilege to disable traditional sensors like EDR or XDR agents, deleting or reducing the logs and disabling other forms of agent-based monitoring. Ransomware and advanced malware threats are using defense evasion as an integral element of the attack lifecycle. SOC teams lose visibility to the endpoint.

Zero trust strategies are based on continuous monitoring and visibility. Organizations can deploy deceptions on the endpoint that are data deceptions and are embedded in the standard data on the endpoint. The blended and passive data deceptions provide an independent detection control that is challenging for adversaries to find and evade. The added visibility strengthens overall zero trust maturity and enables SOC teams to detect and respond to threats more swiftly.

Insider threats come in different forms, including curious insiders and rogue administrators. Privileged insiders have trusted access to critical assets and sensitive data. Malicious activity performed by privileged insiders would not raise alarms in anomaly detection systems or result in suspicious log traces. This makes insider threats particularly difficult to detect using traditional security sensors.

Deploying deceptions such as data deceptions (baits) embedded in the data and on critical servers enables SOC teams to gain visibility to insider threats. This is a key capability for putting zero trust into action.

Ransomware, insiders, and APT threats are targeting operational technology (OT) more and more. Adversaries know that once air-gapped OT systems are increasingly connected to the enterprise and beyond for governance, monitoring, administration, and security-related reasons. What’s more, they are finding various attack paths (e.g., they pivot from IT to OT environments or enter through internet-facing exploits).

Threat detection is particularly hard in OT environments. Traditional sensors provide SOC teams only limited visibility into OT threats. Endpoint tool coverage is limited by old equipment and vendor restrictions. The sensitivity of OT environments requires many tools to be passive, lest security sensors disrupt critical mission workloads. The embedded nature of OT assets and their specialized form factors introduce compatibility challenges for agent-based security sensors.

Applying zero trust principles to OT environments is a growing area of interest for the public and private sector. Now security teams can enhance visibility to OT threats by deploying deception technology to impersonate OT assets such as human-machine interfaces, programmable logic controllers and controllers, as well as IT assets in the OT environment. The security team can safely introduce deception into OT environments to gain visibility into OT threats. The improved visibility for cyber threats better positions organizations to implement zero trust across OT environments.

Misconfigurations are the most important threat vector for cloud workloads. Inconsistent usage of security settings, default configurations that are unchanged and configuration drift are common reasons for the misconfigurations. The adoption of multicloud workloads introduces more complexity, making it extremely difficult to secure cloud workloads based on prevention-based controls. Adversaries exploit the misconfigurations to gain access to cloud resources. Identity-driven attacks are also an important threat vector for cloud workloads, with adversaries targeting service accounts and secrets to gain access to cloud resources. Threat detection approaches in the cloud are limited mainly to scanning container images and cloud applications. Runtime threat detection options are limited and are specific for individual types of workloads in the cloud. Also, many types of cloud-native workloads—for instance, containers, serverless, and platform as a service (PaaS)—are not compatible with agent-based security solutions. The ephemeral and dynamic nature of cloud-native workloads poses an added challenge for threat detection and response, making it difficult to baseline and identify anomalous usage patterns.

Security teams can deploy deceptions (honeytokens, baits) that represent deceptive identities and data along with cloud decoys to detect cloud threats. Even security teams supporting organizations that are early in their zero trust journey for cloud environments can gain visibility to cloud threats to strengthen their overall detection capabilities.