Many cybercriminals are opportunists and take the path of least resistance, aiming at targets that will enable them to make a quick profit with the least effort. Unfortunately, local government authorities are often precisely the kind of target these criminals seek.
Threat actors are well aware that local authorities have vast stores of valuable data such as personal and financial details of residents. At the same time, they generally lack the budgets and resources of their counterparts in the central government, making them an ideal mark for a criminal looking to make quick cash. Research from Gallagher found that threat actors attacked UK local authorities more than 800 times an hour last year.
Advanced ransomware attacks are now increasingly targeting the public sector and aim to widely lock systems and cripple services so that they can command a more lucrative payout. In recent years these attacks have become more sophisticated and problematic to detect. Perpetrators are now seeking to optimise their chances of success by first infiltrating the network then pinpointing the most valuable assets to encrypt.
Criminals bank on the idea that local governmental bodies will quickly pay a ransom demand to unlock their systems because the public depends on them for essential municipal services. It is worth noting that even when paying a ransom, there is no guarantee that they can recover data or that these or other criminals will not strike again.
Dangerous deception
One of the reasons these major attacks keep occurring is that the majority of cyber attackers use deception as a powerful tool for gaining advantage over their victims. Phishing emails purporting to come from known contacts account for more than 80% of reported security incidents, according to CSO Online. A threat actor only needs to fool one employee into clicking a link to gain initial access to an internal system. Criminals will then leverage various other attack techniques to evade security measures such as antivirus. These deceptions often involve stealing employee credentials so that they can log into systems as legitimate users.
However, while deception has always been one of the most powerful resources in an attacker’s tool kit, it can be equally useful for defence. Organisations can lay deceptive traps, bait, and misdirections of their own for cyber attackers that breach their network, deflecting them away from the real assets and crucially delaying or even entirely derailing their attack.
The defenders achieve this by creating traps and lures that resemble genuine files, systems, and credentials that an attacker is likely to seek out. Advanced deceptions go so far as being able to hide and deny access to production assets such as Active Directory, files, folders, and mapped network and cloud shares. Whether the attacker has infiltrated the network to steal data, implant ransomware, or tamper with critical device operations the minute they interact with any of these false assets, the security team gets an alert and activates incident response. Additionally, since deception provides the means to engage an attacker safely, it can gather and analyse extremely valuable information on the attacker’s tools and techniques to fortify defences.
At a basic level, a deceptive defence strategy will buy time to respond and shut down the attack. At a more advanced level, deception can prevent an attack from successfully compromising assets or moving laterally throughout the network to navigate upstream to find their desired target.
While many people see deception as decoys that serve to mimic real assets and attract in-network attackers, deceptive technology can apply to multiple different areas. A particularly effective strategy is to create a decoy Active Directory or to intercept and derail unauthorized queries. A central point for managing user authentication, Active Directory is a prized target for criminals seeking to escalate their attacks and access more of the network. After detecting unauthorised AD access, the system can even give the intruder fake data that will lead them directly into the deception environment for safe observation.
While attackers may eventually realise they have fallen for the deception, the longer this takes, the better. Wasting a cyber criminal’s time and resources on decoys or forcing them to decipher real from fake data will clearly slow an attack, increase the attacker’s cost, and could result in sending them in search of a softer target.
Covering all the bases
The core concept of defence through deception is a versatile strategy that covers a lot of ground. It is particularly useful for local authorities working within a limited budget but still needing to prevent and detect threats early in the attack cycle proactively. By deploying deception on the endpoint and as a fabric across the network, businesses will gain an early warning system. Plus, with the ability to engage an attacker within a decoy, they can obtain valuable attack information, which is particularly useful in helping understand security gaps and notifying security teams when attackers are evading prevention systems.
The number of cyberattacks increased significantly in recent months as attackers exploited organisations left vulnerable by changes made in response to the COVID-19 crisis. Cybercriminals have taken the opportunity to prey on the pandemic-related fears and concerns of remote workers through phishing and other deceptive techniques. Against this mounting threat, it is worthwhile local authorities broadening their approach to cybersecurity, deceiving the deceivers and arming themselves with the visibility to an adversary’s trickery and advancements.
Carolyn Crandall is chief deception officer at Attivo Networks
