Making the Most of an Investment in Deception TechnologySetting a Trap Works If Organizations Nurture the Right Bait
The buffet of IT security solutions is maddening - so many products, so many promises - but what will protect your organization?
Deception technology is less of a fringe player these days. Although it has been on the radar of well-heeled organizations for some time, it is becoming accessible to smaller organizations with fewer resources thanks to more manageable and affordable product offerings.
Deception focuses on deploying assets – such as lures, bogus files, honeypots or simulated SCADA or IoT devices – in hopes of diverting attackers, imparting clues as to how the actual production resources may be or are actually under attack.
It’s an attractive proposition in that by default, probes of fake IT assets are invariably not false positives and are quality alerts. But deception technology also isn’t preventive. It’s the equivalent of hearing a car window being broken in an alley.
In their most recent analyses, Ovum and Gartner give deception technologies kudos for improved sophistication and maturity. Some vendors can now deploy vast deceptions in minutes with a genuineness that’s unlikely to trigger suspicion.
But whether deception works for an organization depends on a variety of factors, including how well the deceptions are deployed and how much time an organization is willing to invest in maintenance and ensuring the intelligence translates into something actionable. Here are some aspects to keep in mind.
Setting a Trap
What kind of deceptive resources should be deployed? Lures or breadcrumbs can give a clue to attacker’s modus operandi, but interaction between it and the attacker is fleeting, according to Ovum’s market radar report. Ovum’s report covers Acalvio, Attivo, CounterCraft, Cymmetria, Fidelis, Illusive Networks and TrapX.
Honeypots, sometimes referred to as full-stack decoys, are more sophisticated in that they allow for more interaction with an attacker. Full-stack decoys, which can be set up to resemble a company’s real network, can be more labor-intensive, but they are becoming easier to deploy at scale.
Emulations seek to mimic real devices or applications. These are cheaper than full-stack deployments, but it may be easier for attackers to figure out they’re fakes, Ovum says. Also, Active Directory deceptions aren’t possible with emulations, and AD is often a sought-after flag for attackers.
Emulation, however, may be the only option for, say, SCADA environments, due to the proprietary nature of much of the technology.
Rik Turner, a principal analyst at Ovum who authored the report, says it’s not a surprise that an early adopter of deception has been the financial sector, which has large IT security operations, including dedicated threat-hunting teams.
“The more sophisticated the organization, the more value they’re going to get from it [deception] because you’re not just doing this to keep the bad guys out," Turner says. "You’re also wanting to do reconnaissance on who’s attacking you. In other words, this is a data gathering exercise as well as a repellent.”
Deception has typically been considered something nice to have, but not as a replacement for network analysis, endpoint detection and response or behavioral analysis tools.
Gartner’s latest report, however, has examples of two organizations that favored deception over, say, traffic analysis tools due to the difficulty of sorting out the signal from the noise when using those tools.
One of the co-authors of the Gartner report, Augusto Barros, says the finding was surprising, but usually organizations also had some endpoint or logging tools in place for visibility and forensics.
“If you are thinking about, ‘Oh should we do just deception and not everything else’ - no, that’s not something we would recommend at any time,” says Barros, a vice president and research analyst.
When the Jig is Up
Deceptions are only valuable if they are viable – something that an attacker finds attractive, continues to engage with and imparts intelligence to the deployer.
In practice, it doesn’t always work out that way. Turner says that attackers, as well as penetration testers, are aware of deception technology and have sussed out when something looks fishy.
“People are definitely aware that deception technology is out there and therefore they have to be able to work out when they’ve run up against what is essentially a phoney,” Turner says.
Gartner’s report describes some unfortunate red-teaming exercises.
“In the worst cases, the testers immediately found the deception tools and identified the vendors by name,” the report says. “In the best cases, the testers gave up after several days of trying and reported that they thought the defenders were reconfiguring the systems to 'mess with their heads'.”
Barros says the worst cases where deception vendors were identified occurred two or three years ago. Since then, the vendors in question have improved their products, he says.
“I think that’s a symptom of an immature market,” Barros says. “These solutions are still evolving.”
Conversely, there’s a danger in too much realism. For example: If a company deploys a fake file, such as bogus press release announcing an acquisition, it could prove difficult explain the situation if the document was publicly released by a hacker.
“The impact from that information being stolen and believed could be as damaging as a compromise to real data,” according to Gartner’s report.
How to Evaluate a Product
Deception technology is moving into the menu of technologies offered by managed security service providers, Turner says. Larger security companies are likely to continue to analyze the bevy of deception startups for possible acquisitions, which will be a critical factor for whether the deception market segment will grow.
Gartner advises organizations to conduct a 30-day pilot trial on three deception products before committing to a subscription. Organizations should have an external red team see how effective the product is at catching threats, Gartner advises.
Barros says organizations should try to validate claims of low false positives and the work hours needed to maintain a healthy deception deployment. Turner says that deceptions need to be regularly refreshed to ensure they're continually appealing to attackers
Also, organizations should try to not fall for the proof-of-concept “gem,” an impressive one-off detection not detected by other tools, Barros says. “Many clients are immediately impressed,” he says. “But there are many other questions that you need to validate through a proof of concept.”
Organizations should also keep in mind how the intelligence gained from deception can be integrated into other tools, such as SIEMs, firewalls and network access control systems.
Some vendors may be a better match than others depending on an organization’s business vertical. Barros says deception lures should be similar to what is in a company’s real production environment. A hospital, for example, may have connected diagnostic systems, and certain vendors may have deceptions that do a good job of mimicking those, he says.
The same with financial institutions, which have seen attacks over the last few years against their SWIFT wire transfer systems. Barros says some vendors offer fake SWIFT environments, which can aid in hunting threats for those kinds of attacks. “That’s a very specific vertical-oriented type of solution,” Barros says.