In the weeks before D-Day, the Allies positioned fake landing craft and inflatable tanks and broadcast fake military radio transmissions in southeastern England, just across the Channel from Calais, Dunkirk and other seaside towns of northernmost France.
Double agents fed plans of a Calais-centered invasion to German intelligence. British bombers hit German fortifications in the area, as if to "soften them up" for an imminent invasion. On D-Day itself, June 6, 1944, bombers dropped clouds of aluminum-foil chaff over the Channel so that German radar near Calais would pick up what appeared to be a large mass of ships heading south.
But the real invasion took place in Normandy, 200 miles to the southwest. The Germans, who had placed many of their best units on the Western front near Calais but many second-rate troops in Normandy, had been bamboozled. They had fallen victim to an elaborate, months-long, multifaceted Allied deception scheme.
Cybersecurity also benefits from trickery as a way to defend against adversaries. Successful deception, especially when it's automated, will slow down attackers, get them to steal false information, divert their attention from legitimate targets and let defenders monitor and study adversarial behavior and techniques.
"Deception, and particularly having that be an integrated part of your control mechanism, is a way to push back a little bit and also buy yourself some time to make more coherent response and strategy to mitigate that from happening in the future," says Lorraine Bellon, Senior Product Marketing Manager, Security at Fastly.
Moving on from honeypots
One of the oldest and most successful types of fake-out is the
honeypot, a supposedly vulnerable website or other networked asset that baits attackers and sometimes gets them to stay a while.
But attackers now know how to evade honeypots. If the honeypot site or server doesn't seem to connect to anything else, or if an attacker expects a physical
endpoint but detects a virtual machine, those can be tip-offs.
Honeypots are "stale and unconvincing to attackers," wrote Fastly VP of Security Products Kelly Shortridge in
a 2021 piece she co-wrote with Two Sigma Senior Vice President Ryan Petrich for ACM Queue magazine.
Attackers, Shortridge pointed out, "thrive on interconnections between components and expect to encounter systems."
She and Petrich instead proposed "deception environments," or "isolated replica environments containing complete, active systems that exist to attract, mislead, and observe attackers."
One of Fastly's clients, a large airline, has already used such techniques. It created a fake version of a customer-facing web application, complete with phony
vulnerabilities and bogus data, to lure in attackers and get them to stay while the airline's defensive teams studied the attackers.
A deceptive environment could defend more than websites. Bellon says placing one inside a software-development environment would confuse attackers.
"If an attacker does manage to intrude upon and find access to your dev environment, they're not going to know which way is up," she explains. "They're not going to really understand on a fundamental level if they've made it in, or if they have been detected, or if they will be successful in their ultimate goals."
The longer you let the attackers think they're getting away with it, the more
threat intelligence you can collect.
"Since they don't know that they've been detected," says Bellon, "they might let their guard down. They might do things that they wouldn't normally if they know that they've been detected."
The ethics of deception
Is tricking and deceiving attackers really the right thing to do? Yes, says Bellon. Unlike hacking back, or attacking your attackers, deceptive techniques don't harm anyone, even your adversaries.
"There's often a perception in security, especially in the mentality of good guys versus bad guys, black hat versus white hat, that deception is bad, that deception is something that is unethical," she says. "This is part of tactics. This is part of doing what is necessary in order to protect yourself."
Deception is a classic defense in nature, she argues. Certain insects have evolved green coloring and unusual body shapes to mimic twigs or leaves, making them less visible to predators. There's a harmless fly that looks a lot like a very angry wasp. And when threatened, countless mammals will lift their shoulders and puff up their fur to appear larger.
Humans have been doing it for a long time, too.
"The classic example is putting up the fake security camera," Bellon says. "Yeah, it's not real. There's nothing connected to it. But if it deters people from breaking into your place, then it did the job."
"Granted, a lot of attackers know that the security camera is fake, so they're just going to ignore it," she adds. "You have to change the game a little bit" — which is why deceptive environments are succeeding honeypots.
How Fastly is using deceptive techniques
Bellon clarified that the full-fledged deceptive environment that Shortridge and Petrich advocate is not yet part of Fastly's defensive tools. But other techniques are.
"One of the core principles of deception is the idea that you don't want to give attackers an advantage," she says, "whether that's telling them something that is inaccurate or confusing them, or in some way withholding information from them."
"There are aspects of our DDoS protection, as well as our bot management," she adds, "that involve withholding information from attackers, information that they would expect to get" to continue the attack and gather information about targets.
Along similar lines, an optional "deception action" was just added to Fastly's
web application firewall (WAF) that tricks attackers attempting account takeovers into thinking that their stolen credentials don't work — a technique already used by the same airline that deployed a deceptive environment.
"What our deception action does is it intercepts the login request," Bellon explains, "and instead sends garbage to the true login and then to the origin server, and then the origin server responds with an invalid password, invalid
credentials response, and we seamlessly pass that back to the attacker."
"The goal is to make the attacker so frustrated that they give up and go somewhere else, but not without first being captured," she wrote in
a Fastly blog post.
The beauty of the deception action, Bellon says, is that the firewall administrator only has to toggle a switch to activate it.
"Instead of having to go through some sort of complex exercise of defining the problem and working with our technical resources to do it, it's just there for someone to turn on," she says. "They can use the products that they're already using and the rules that they're already familiar with and the interactions that they already have and just inject a little bit of shenanigans."
These deceptive techniques are automated in Fastly's tools because, Bellon says, human defenders simply aren't swift enough.
"It takes an average of a few minutes for a human to detect and respond to an attack, whereas, like our automated DDoS mitigation, it happens in seconds," she explains. "Sometimes that will result in some false positives, but ultimately, humans cannot respond in a way that is fast enough to stop DDoS attacks."
Bellon tells us that Fastly has other deceptive techniques in development. She doesn't want to give us many details but suggests a few ways to trick, delay or frustrate attackers.
"You could do it with timeouts," she says. "You could do it with other types of attacks. You can do it with bots that are scraping AI content. You can deceive them back and send them garbage content back."
But overall, Bellon foresees deceptive techniques playing a larger role in cybersecurity defenses, especially in
application security.
"Deception is something that I think has a lot of potential to really change the game," she says, "because it's moving so quickly — and adversaries are evolving so quickly to try to inject themselves into our applications — that you can't just continue to have human responses."
