By Carolyn Crandall, CMO, Attivo Networks
With a growing number of companies looking to add deception as part of their layered security defense, it is fairly common for me to be at an event or talking with a prospect and be asked, “Isn’t deception technology just a DecoyDoc?” I can completely appreciate the misperception. At the most fundamental level, yes they are both designed to confuse, misdirect, and delay the enemy by incorporating ambiguity and by misdirecting their operations. Beyond that, however the technologies are quite different. This blog will explore the origins of DecoyDocs and share why comparing a DecoyDoc to a deception platform would be like comparing a horse and buggy to a Tesla.
Let’s start from the beginning. The concept of cyber deception was originally introduced in 1989, by Gene Spafford where he employed “active defenses” to identify attacks in progress, slow down attackers, learn their techniques and feed them fake data. In 1999, the DecoyDoc Project launched, which added innovation to the deception techniques and ways to learn about an attacker’s capabilities. Low interaction DecoyDocs such as honeyd were introduced in 2003 and offered simple network emulation tools, which waited for inbound network connections and provided limited service emulations. Over time, additional tools evolved to improve DecoyDocs and included providers such as Nepenthes for collecting Windows network spreading malware, Dionaea for special purpose low interaction DecoyDocs, Glastopf for web attacks and Conpot for SCADA/ICS systems, and Thug as a low interaction client DecoyDocs designed to actively crawl and evaluate potentially malicious websites.
The appeal of low interaction DecoyDocs was based on the solution’s ability to detect mass network scanning (brute force, scanners), track worms, be easily deployed, and for its low cost. DecoyDocs, however never became mainstream to security architectures given their limitations and the associated management complexity, including these issues:
- Easy to fingerprint and be avoided by skilled attackers
- Attackers ability to abuse a compromised system
- Limited emulation services
- No ability to engage and understand the true intent of the attacker
- Limited to capturing mostly known activity
- Not easily scalable
- No management user interface
The next wave of solutions were based on high-interaction DecoyDocs, which are based on full operating systems and are harder for a skilled attacker to detect. This is where the cross over to deception begins.
Deception providers use high interaction engagement servers that will lure, trap and analyze an attack. The elements of these include:
- Engagement or deception servers: running real or emulated OS and services
- Can catch the human attacker and not just brute force attacks
- Supports virtualization
- Advanced deception techniques:
- Customization for layer 2-7 deceptions
- Fully controlled environment (contains infection and can destroy infected VM)
- Forensics and reporting
- Ability to engage with C&C
There is a fair amount of differentiation even among deception providers, and it is important to note the differences in how authentic the deceptions are and how comprehensive the deception solution is to determine the right fit for your organization. Some things to consider in your evaluation:
- Platform vs. elements. Deception solutions come in several forms and decisions need to be made on how broadly to deploy and what types of attacks need to be covered. For example, insider threats and stolen credential attacks cannot be reliably detected if only deception servers are used
- Deception servers – lures and traps
- Endpoint and server deceptions
- Application deceptions
- Real vs. emulated operating systems. For the greatest authenticity, advanced deception providers will use real operating systems and provide a full suite of services. They will also allow full customization to production servers with the ability to load “golden images”. Have a look at my earlier blog on deception authenticity to learn more about this.
- Comprehensive deployment. Solutions provide the ability to deploy deception systems along with production systems in user networks, Data Centers, and the Cloud in a scalable manner
- In-line vs. an IP address placed on a trunk port. In-line devices will have to process all traffic and will require more compute power with more network disruption, friction to install, and cost. Notably, in-line solutions will be challenged to scale for east-west traffic detection in data centers.
- Forensic reporting and integrations. These elements should be considered:
- Depth of forensics provided – IPs, type of attack, methods, C&C actions
- Popular report formats: IOC, PCAP, STX, CSV
- Integrations with Firewalls, SIEMS, other devices for blocking, quarantine and remediation
- Central threat intelligence dashboard with drill downs
- Scalability and Manageability. Look for these capabilities as well
- Scales across networks, private and public data centers
- Central UI for management and threat intelligence aggregation
Gartner has predicted that by 2018, we should expect to see 10 percent of all enterprises using deception techniques. At first blush this may seem small however since high-interaction deception providers have only been shipping products for around one year. So this statement predicts a rapid ramp in adoption and affirms the need for organizations to take a layered security approach with an active defense posture using deception technologies.
With deception closing the gaps left by today’s prevention solutions and with the initial limitations of DecoyDocs addressed, I look forward to seeing deception become mainstream in IT security infrastructure.