The cybersecurity game playing out in today’s enterprises is turning out to be a classic spy story pulled straight out from the cold war era – spooks tunneling their way into enemy intelligence, foiled by sleuths trying to outsmart them.
Cybersecurity experts get the short end of the stick and are often found one step behind the bad guys, and this is where deception technology makes the cut – it puts the good guys in control.
1. In what ways can deception technology outperform tradition cyber-security measures?
For the past 20 years, most active security control responses built into network security products have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and quarantine, with very little innovation or evolution beyond these more-simple automated response concepts.
Although these responses are effective at both detecting and blocking individual attacker attempts, responses such as reject and drop are widely visible to a skilled adversary, especially advanced persistent threat actors. These types of responses allow an attacker to rapidly (or even immediately) identify when they are detected, and serve to inform the attacker that it must quickly adapt its attack strategy to continue to move forward. These basic defensive actions must evolve so that a strong hold against the attacker can be maintained and to increase the attacker's economic burden.
Deception solutions are emerging to play a greater role in the future of enterprise threat defense. Detection is often a prerequisite to higher-quality deceptions. However, use of deceit in the enterprise is beginning to be used to actively thwart or "black-hole" malware botnets, threat actors and suspicious connections.
2. What sort of hacker behavior has deception technology revealed?
Threat management teams utilize intelligence and orchestrated deceptions to divert attackers away from their sensitive assets. This tactic can enable threat management teams to assert more active control on an attacker and his activities throughout the enterprise environment, and allow organizations to track and share even greater intelligence on threat actors.
Ideally, upon detection, threat actors and their compromised systems or applications will be automatically isolated into a network deception zone, where they are provided with what is equivalent to a hall of mirrors, in which everything looks real, and everything looks fake.
The most critical reason to use deception is to delay an attacker and force him to spend more time, causing him economic harm while he tries to figure out what is real and what is not, and whether to proceed.
3. What’s your take on the usage of ‘honeypots’ in nabbing cyber-criminals?
Use of deception through use of honeypot sensors as a detection measure has often been a security practitioner's dream, yet has been unattainable because the honeypot sensors of the past required too much administration, handholding and maintenance, and were mostly based on open-source code.
Honeypots have been perceived by some to potentially add additional risks by enraging the threat actor, creating new security holes or increasing liability for an organization if the attacker were to compromise a system, and then begin to attack outwardly onto the internet from the honeypot itself. Today's honeypot has evolved toward greater automation, and offers enterprise-class features and operational capabilities.
4. Reports say that by 2018, 10 percent of enterprises will use deception tech. What lies next in the world of deception tech?
Deception techniques and technologies have so far had only nascent adoption in the market. Most recent adoption has been focused on distributed decoy sensor providers, deployed inside the network to enhance malware and threat detection. This has largely been because deceiving a threat actor can be difficult, and must be orchestrated in the proper way for it to be believable.
However, some providers are now successfully deceiving in a believable manner. Distributed decoy systems and endpoint deception agent solutions are gaining traction within financial services and healthcare verticals because they are entities that are very commonly attacked for their sensitive information. Additionally, other large type-A buyers with lean-forward security programs are adopting distributed decoy systems to enhance their deception operations capabilities
5. Takeaways for enterprises already using deception technology, and ones considering adoption of deception tech:
- Deception technology is of more relevance for lean forward and mature enterprises.
- The deception stack consists of sets of tools and responses that operate at different layers the attacker may interact with — the network, endpoint, application, and data layers. It is important to note that the further up the stack deceptions move, the more difficult the deception is to maintain against a formidable and well-educated adversary.
- Threat deception is not an easy concept to understand and requires a mindset shift from being overly preventive, to a mindset that thinks like the threat actor, and placing lies and misdirection throughout their interactions. Enterprises require a proper training to fully utilize the solution.