There are hundreds of security solutions in the market aimed at identifying and stopping breaches. Most organizations have layered in dozens if not more into their stack, yet a quick review of weekly headlines betrays the ineffectiveness of these traditional approaches. Attackers continue to penetrate perimeters, lurk in networks undetected for months, and remain free to move laterally towards critical data they seek to steal. Deception technology promises a new approach, one that can finally tip the odds in the defender’s favor and put the attacker at a severe disadvantage.
Traditional security tools look for anomalous activity – unusual patterns in network traffic or user behavior. Imagine a tool that creates great stacks of anything that looks like hay – sticks, twigs, feathers, splinters, and needles – and you have the basis for an unbounded, infinite set of anomalies. Security tools based on collecting and analyzing data have the same problem. The characteristics of anomalies they seek to find - the needles in their haystacks - are infinite, and thus their alerts are based on probability. They give you a stack of needle-like items (the seminal term here being the ill-defined 'needle-like') and leave it to you to determine if any of them are, in fact, needles. In the case of security, they produce many thousands of 'maybe' alerts. Recent research indicates better than half of those alerts are false positive. Everything in this approach is based on probability, meaning the probability your incident response (IR) team is wasting precious time is very high.
Deception turns this approach on its head. We’re still looking for anomalies, but we have reduced the definition of an anomaly to a binary set – a one or zero. Either the attacker has engaged with a deception or not. If yes, the Distributed Deception Platform (DDP) produces a high-fidelity notification. No guesswork. No maybe. And, the notification comes with real-time forensic data – what deception was triggered, on which end point, and exactly when. The modern DDP can deliver evidence such as screen captures from the affected machine, which show the specific actions taken by the attacker. This deterministic approach speeds detection and response by isolating with certainty the location and genesis of an attack in progress.
Deception is rapidly gaining attention and adoption as the market realizes the power it provides is stopping attackers who have established a beachhead within the organization’s perimeter. However, several stubborn myths surround the technology, and it’s time to debunk these so that the benefits of deception can truly be appreciated by all defenders.
Four common misconceptions about deception technology
There are four common misconceptions about deception technology. They are:
- Deception is hard
- Deception should be the last thing you implement
- Deception is only for big and mature organizations
- Deception is good for threat intelligence but not detection
On the surface, all of them sound logical, even reasonable, really. However, each one is completely false.
Debunking these myths and looking at reality
Myth: Deception is hard
Reality: Because deception is often identified in the customer's mind as a resource-draining physical honeypot that too often appears static and devoid of activity attackers expect to see, it has acquired the reputation for being a technology that is not only difficult to implement but a telling warning sign to an adversary. In some instances, attackers purposefully engage the honeypot to misdirect their actual movements, which can be missed by other tools.
However, modern DDPs have evolved far beyond first-generation honeypots. Modern deception technology is not only amazingly simple to deploy, operate and manage but, more importantly, presents the attacker with endless elements of false information that appear genuine, subtly deluding them to the point where the attacker is caught between knowing what is real and what is false. This constitutes a more disorienting approach capable of misleading even the most experienced cyber attacker, leaving them paralyzed and frustrated.
As long as a software-only solution is chosen, installation occurs in minutes, and automation drives deployment with no need to install agents or otherwise disrupt normal operation.
It's not unusual for customers to gain newfound visibility into their environments during a brief morning workshop. What’s more, automation now drives the constant updates and refreshes that ensure deception authenticity, with less than 10 man-hours per month needed to manage a platform supporting hundreds of thousands of endpoints.
Myth: Deception should be the last thing you implement
Reality: As mentioned, deception works very differently from typical analytics-based anomaly detection systems such as SIEM, EDR, NTA, and UEBA. These probabilistic approaches create massive data stores – logging virtually every action – and require frequent tweaking of analytical models and rulesets in order to reduce false positives. Gaining value from these systems virtually demands a large, sophisticated security team, and an even larger budget.
Because modern deception technology reduces anomalies to a binary choice – either a bad actor has interacted with a deceptive element or not, threat detection is a simple, automated deterministic approach. The system operates unseen, with no effect on legitimate users, but creates an environment that is hostile to attackers. No wonder that shops with limited staff have come to quickly appreciate the combination of peace of mind and high efficiency delivered by deception platforms. Deception isn’t a last-ditch effort or the last thing to layer on an already complex stack. The technology is solid, well-tested by large and established firms, and offers such value that it should be considered an essential component of any well-architected security strategy.
Myth: Deception is only for big and mature organizations
Reality: Deception is especially applicable for lean security shops that may not have the budget or staff to implement more complex tools. Many smaller shops thave only recently come to grips with an evolving perimeter are benefiting from deception's improved visibility and are gaining increased confidence in defending the soft-middle of their internal attack surface. Deception has proven to be versatile and industry-agnostic. A recent report from Gartner called “Emerging Technologies and Trends Impact Radar: Security” noted that deception technology offers “easy to deploy, deterministic, and effective threat detection capabilities for enterprises of all sizes.” The efficacy of next-generation deception technology can be demonstrated on a large scale without the implication of additional resource investment, helping even small organizations to prioritize the alerts that truly matter without wasting as much time on investigating activity that turns out to be benign.
Additionally, distributed deceptions are automated to reflect the data that an attacker would expect to find on a given endpoint, meaning that deceptions can be customized for an organization from any vertical and of any size. Indeed, some of the most successful deployments of deception are at small businesses that had to quickly play catch-up to get their security posture where it needed to be, and deception helped those organizations to make up for that lost time in a matter of days.
Myth: Deception is good for threat intelligence but not detection
Reality: This is another myth that survives due to confusing misperception of deception as a honeypot. It’s true that when distributed deception technology first emerged, honeypots were the most analogous solution to describe the way that deception worked, in that a honeypot also tries to trick attackers into engagement. However, deception has come a long way since the early heyday of honeypots, and its more lightweight, far more valuable descendant is proving extremely versatile when it comes to use cases.
Unlike honeypots that are typically used to trap attackers with the purpose of studying their late-stage attack behaviors, endpoint deceptions are false data elements meant to be encountered early in the attack lifecycle. At first interaction with any false data, a high-fidelity notification is triggered, showing exactly what has been attempted and where. In fact, next-generation deception technology has emerged as the most effective and earliest way to detect and stop attacker movement inside the environment.
Not hype, but help
With all the overblown promises on the market, coupled with the extreme and immediate need for strong cybersecurity, organizations can have a hard time figuring out whether any particular security product or service is really going to be effective at catching attackers before they reach critical data.
However, Gartner notes that deception technology not only "does well in proof of concept (POC)" and "perform(s) well during the sales cycle;" it also "proved to be a worthy technology to add to security programs." By understanding the truths about deception technology – and clearing up the misconceptions – organizations can start implementing a new security approach that is easily deployed, proactive, and effective.