Deception tools have been growing in popularity over the past several years, but customers need to ensure they are using the technology to its fullest potential.
The concept behind deception is fairly simple to understand: Security teams deploy a fake target that is monitored closely, which hackers will attack. Once the target is breached, the security team is alerted to the threat.
In my experience, the use of deception technology is relatively low compared to the amount of time, energy and money invested in traditional intrusion prevention systems. Part of the challenge of deception is that maintaining things such as decoys, breadcrumbs and honeypots can be difficult in environments that are always changing. However, networks are becoming more agile through the use of software, making deception technology more agile and easier to use.
I recently read a Gartner report, “Applying Deception Technologies and Techniques to Improve Threat Detection and Response,” that highlights the value of deception technology. The title is somewhat misleading, as the report largely focuses on deception as playing a key role in improving threat detection. But in my opinion, that’s only part of the value. It’s important to understand that deception can play a key role in improving incident response.
For example, Gartner states:
“Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a ‘low-friction’ method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.”
The statement paints deception in a broad light, but all of the use cases that Gartner highlights focus on detection. Below are the two types of attacks that can be detected with deception:
- Deception usage that aims to make detection of regular threats easier and less resource intensive.
- Deception usage that aims to make detection of advanced threats possibly easier and less resource intensive.
OK, so deception can be used to find basic and advanced threats. No offense to the smart folks at Gartner, but no kidding. That seems kind of obvious.
What’s missing is that simply “raising the flag” only highlights the problem and doesn’t actually fix it. Improved detection is useful only if it leads to the security team being able to begin the response process faster and more accurately. Here is where solutions that include automated analysis and response as part of the deception solution can be of particular value.
Another statement in the Gartner report that I find misleading:
“Improved detection capabilities are the main motivation of those who adopt deception technologies. Most have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.”
That thinking is old school in nature. I have no doubt it came from actual customers Gartner talked to, but often customers don’t know what they need, which is why the security world is filled with startups. These smaller, more innovative vendors fill gaps where none existed before.
Security teams want to engage the attacker
I’ve talked to customers that have used advanced deception solutions, such as GuardiCore, and they do want to engage the attacker across the lifecycle of the attack. This includes finding the threat, but then also tracking and analyzing the activity. This is critical in being able to understand all the attack methods for better analysis of the incident and then having actionable data on hand for the response.
As an example, full session recording can provide a list of attacker actions, such as what credentials were being used, any commands, attacker tools or files that were targeted, operations performed (rename, change, etc), or network operations commands (connect, DNS query, etc.). This higher level of fidelity is crucial in actively analyzing the attack in progress to understand how big the “blast radius” is.
There was one point made in the report that I felt was the most salient as to why deception technology is a must-have for enterprises:
“Deception provides high-fidelity alerts and low false-positive rates.”
Gartner nailed it here, although it didn’t do a great job of explaining why.
One of the big advantages of deception is that it results in far fewer false positives in the security information an event management systems (SIEMs). It’s important to note that the SIEMs are not the cause of false positives. Rather, it is the fact that traditional intrusion-detection methods feed bad data into the SIEM, resulting in false positives. Deception tools have higher fidelity and, therefore, feed more accurate data into the SIEM, resulting in fewer false positives.
Deception is more than 'raising the flag'
This supports my thesis that deception is for more than “raising the flag” on a threat. Once something hits a decoy or honeypot, the data in the deception solution must then be turned back on that attacker to shorten the incident response process. This does carry the caveat that the solution has the capability of being able to record and analyze all the behavior to deliver high-fidelity detection of the incident.
This also means the deception solution must be believable from a hacker’s point of view. The decoys must be real machines, running real services and real IP addresses so it’s more difficult for the bad guys to recognize they aren’t on a production system.
When true high-fidelity security incidents are revealed with automated analysis and mitigation responses, incident response teams will be able to very quickly prioritize the incidents based on severity and impact to the business. In fact, security teams should look to automate many of the functions to stop active breaches.
Deception is growing in popularity because it can help find attacks more accurately and faster than other, more traditional tools. However, finding the threat solves only part of the problem. A complete deception solution will also enable better incident response to combat the threat actors.