Deception as A Strategy An Interview with Rick Moy from Acalvio

Rick Moy - Live.png

Well Rick, thanks for joining us. Just introduce yourself.

My name is Rick Moy. I'm the chief marketing officer at a company called Acalvio Technologies. We are a Deception 2.0 company. We are creating a distributed deception platform that brings automated deceptions at scale and authenticity to organizations of any size. The goals is to make it easy to manage, deploy, and implement deception strategies in the network in order to do a better job of detecting attackers who have gotten past the prevention that is deployed on the perimeter and on the endpoints.

 Yeah. Such a great background and experience and fit for some of the conversations that we've been having. We're seeing the realization in the market that static systems aren't secure, they're just not. If an attacker can see what you're doing, they're going to be able to penetrate it.

I know you guys have been around a while. Walk through where Deception and changes have happened. What that history looks like.

Yeah. Well, so first of all, to set the context like I talked about in my talk this morning, deception has been around for a long time. It exists in nature. You have the Venus Flytrap, the angler fish, you think of those fun things. So, nature's got them. We've used deception in warfare, kinetically, so military use smokescreens, false retreats, fake units, right, during D-Day, we created some inflatable tanks to fool the Germans.

In cyber, it really started around 1989 with the German attacker who was breaking into Lawrence Livermore. A guy named Cliff Stoll is one of the first documented deception campaigns, where he actually created fake systems, fake files, and even fake departments logically in the company, and a fake secretary who he gave an account on the system in order to mislead the attacker. So, deception is part of our world, whether we realize it or not.

Attackers use deception against us in phishing campaigns, in malware, polymorphic malware. We use deception to sinkhole botnets. We use it to gather threat intelligence externally. The field of honeypots, which most people think about, has been around for 20 years, and that's great. A lot of open source, community level projects. It solves a certain problem, but the change we've noticed over the last few years is that making those enterprise ready, right. What does that mean? No one has time to manage another platform. It takes time to figure out well what kind of campaign do I want to run. There's some manual effort required.

The new phase of deception, we call Deception 2.0 has a couple key principals. It's got to be manageable. It's got to be automated. It's got to be authentic. It's got to interoperate with your existing infrastructure fabric. All those things have to be true. That's really only become viable within the last 12, 18 months I would say. There's a lot of Deception offerings that I call more point products. They solve a specific part of the problem, but they aren't as fluid and dynamic as the modern enterprise would like. Keep in mind, developers have been talking about Devops for five years or so now, so that's really become part of the mantra within the CIOs organization. We've gotta be Agile. We've got to adapt to a digital transformation, that's still ongoing.

Yeah. You brought up so many good things there. I think that pain point that you talk about where you're already seeing 10,000 threats a day, maybe a million incidents a day, and if you were going to create another system where you're going to create even more incidents. You already are overwhelmed. The idea of how do I handle more when I'm already drinking from the fire hose. How do you guys, both your own technology but what do you see in the market in terms of that filtering, that understanding what is noise on the network and what is the really high-risk elements.

That's perfect, right. It's true. There's organizations I've worked with that get millions of alerts a day. That's exactly the problem with the prevention or traditional detection type of technology. Where deception comes in is really a great blessing for the organizations. It's a totally different philosophy.

With prevention you're trying to find the bad guy hiding in the crowd. With deception, you've set out fake assets, decoys that will attract them. By definition, anyone whose interacting with that decoy is not following business process. If they're an employee, they're not following the business process. If they're an attacker, they're looking for some data to either steal or ransom back to you.

Deception 2.0 has a couple key principals. It’s got to be manageable. It’s got to be automated. It’s got to be authentic. It’s got to interoperate with your existing infrastructure fabric.
— Rick Moy

The definition of deception is it gives you high-fidelity alerts, so a very small number of them because, in general, they don't occur very often. They're designed specifically to detect lateral movement. Someone who has gotten a foothold on a workstation or a server inside an organization is now trying to pivot and find some of that important treasure to, again, steal or ransom back to you. By doing that, trying to figure out what machines are next to me, what services are in the environment, how do I connect to them ... all those activities could potentially reveal their existence if they connect to them. That's where we come in. Deception's a great compliment to a very noisy existing infrastructure that most organizations already have set up. These two things can be complimentary and used together.

Yeah. When you think about when you're creating a network and, essentially, trying to replicate something that looks like your existing environment and putting assets there. How do you do that in a way that's efficient, easy, and that also is believable to an attacker. In many cases, sadly, a lot of organizations don't even know what their network looks like and what's on it. How do you stand one up that's an image of it, a copy of it, that's real ... at least real enough to an attacker?

That's a great question. That's exactly one of the shortcomings of the previous generations of honeypot technologies. Modern approaches will allow admins and organizations to use gold images.

You can take systems that are actually deployed, dirty images. We call them gold, but a lot of them call them their copper or pewter or their fairly tarnished. They're not necessarily a precious thing. That's exactly what you want. You want to replicate and mimic the actual systems in your environment. If it's too clean, it's going to be suspicious. If it's too locked down, it's probably not going to be a good lure for an attacker. It needs to have the same kinds of flaws that your other systems have.

Not to get too technical because we have an audience that spans the range from security professionals to individuals who are tangentially involved, but can you dig in a little bit to one layer deeper in terms of how you do that? Is that done through virtual machines? What's the way you deploy a network?

To be honest, there are some that are out of the box that are just standard. There's a whole matrix of different types of deceptions you can deploy. Out of the box, you would get some basic things like SMB file shares, certain Windows operating versions, Windows 7, Windows 8, and Windows 10, Server 2012, etc. Those generally we provide. Others can be virtualized or containerized. We call it in our lingo, "service reflection."  The process of wrapping an image that's already in production and then mimicking its existence on different VLANs. We have technology that really simplifies that. It's all about making it easy for an organization to roll out a deception campaign.

So you're deploying stuff both on prem as well as in the cloud? How is the deployment typically?

There’s a certain investigative, James Bond nature to it ... what’s going on, who’s inside the castle walls, what information do I have, how can we lay some traps to have that person reveal themselves.
— Rick Moy

Acalvio is a cloud first company. Everything we design is meant for organizations who are going to be moving to the cloud or deploying from the cloud. That same engineering discipline allows us to deploy cloud-ready apps on premises in a very efficient DevOps manner. We've done the design for the hard stuff first, but are also deployable on prem.

Where are things going? What's new? What do you think people should be really excited and trying out in this phase? What's cutting edge in deception right now?

Cutting edge, I'd have to say it's probably the boring part of just making it operational. A couple of years ago, cutting edge was putting up a lone honeypot on the outside of your network and getting external threat intelligence. Well, that's something that a lot of people know. If you put something on the outside of your network, within about 5 minutes, you're going to start getting attacked, right?

What's really critically important to the organization, as well as kind of fun I think and so maybe this is the definition of cutting edge, is finding the bad guys who are already inside your network. There's a certain investigative, James Bond nature to it ... what's going on, who's inside the castle walls, what information do I have, how can we lay some traps to have that person reveal themselves. You get into this detective mode, and you start to think well what tools do I have to do that. There really isn't anything more exciting in my mind than the deception arsenal of tools that you have.

The honeypot is your actual server, you can put services out there that maybe just like a FTP service, which was used, for example, in the Sony hack. File sharing ... you can put fake spreadsheets out there. You can have false, misleading data in database servers that would, if that data was ever used in public you would know that you had been breached. There's really creative ways that you can think about marking content that if it's touched or used somewhere else will be an indicator. It really forces you, as the security guy, to think a little more holistically about what business are we in. Are we in healthcare ... is it patient records? Are we financial services ... is it bank account information? Are we a R & D shop designing semiconductors, so then it may be IP around a particular laser etching technology or layout of a microprocessor. I would want to have different strategies around each of those. That's what's interesting, and frankly invigorating, for a security person who maybe last week their top priority was applying a patch or responding to some malware on Jane's computer. Now he gets to think more strategically about the business and the threats that it faces. It's something that's typically reserved for the C-level suite, but in reality it's the people who are hands-on that have to implement that.

 I think it's a great opportunity from many perspectives.

Sounds very cool. As people are thinking about adding deception to their strategies, what would you say is the best way to climb the curve, to educate themselves? Are there some resources out there? Are there some books they should check out? What sort of way to get involved there?

Actually it's a great question. It's almost a setup. We actually have a couple of books that we've written.


You can go on Amazon. There's a couple historical books you can look at. The Cuckoo's Egg is one. Kevin Mitnick has written a book about deception.

We have two free books. One's a Dummies book, Deception for Dummies. It's a very short read. It's actually quite entertaining.

You don't have to be a dummy. It does a really good job of explaining it. Then we have an advanced field guide for the advanced practitioner whose had more experience with some honeypot technologies.

Awesome. Thanks for taking the time. This is your opportunity if you've got a soap box ... what would you like the community to know if you had 30 seconds, a minute, to say, "Gosh, you know you really need to be thinking about this."

 I would encourage the community to recognize that deception is all around us. We use it every day, and it's used against us every day, whether it's in advertising, social relationships, and in cyber it's used. Let’s use deception to change the dynamics.  The attackers are using automation and forcing us to do manual review of the problems they've created. Deception is the only platform that allows us to lie back to the attacker and change that dynamic and make them do some work.

From that perspective, when you look at the technologies at your disposal ... huge points for that. When you also consider that it's lower cost to deploy than a number of other technologies and more effective and lower noise, there's a lot of reasons to look at it. I'd encourage people to have an open mind and to read up on what Gartner says is the number three of the top technologies for the next year.

Yeah. Awesome. This is great. Thanks so much.

Thanks for the time.



EditorLive, Andy Anderson