Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – In today’s quickly evolving threat landscape, perimeter defenses are no longer enough to keep attackers out. Firewalls and antivirus software still play a needed role in cybersecurity, but organizations require additional tools to detect and derail attackers once they have entered the network. Unfortunately, it is impossible to prevent 100% of attacks, which means today’s organizations must assume that their network has already been breached—and defend themselves accordingly.
Deception technology is a critical element of Active Defense that focuses on in-network detection, closing visibility gaps, concealing sensitive and critical information, and misdirecting attackers away from production assets. However, despite the enormous advantage that deception technology gives defenders, too many organizations remain unaware of how the technology works—or what they should look for in a deception solution. This piece serves as a guide to walk readers through the specifics of deception technology and help them better understand what sets specific solutions apart.
Understanding the Elements of Deception Technology
Deception technology platforms are a far cry from honeypots that first showed up in the early ’90s. Effective deception now covers endpoints, the network, Active Directory (AD), and the cloud, creating a scalable, enterprise-wide deception fabric that delivers early attack activity detection. By deploying a solution covering all facets of the network, organizations can have the most comprehensive protection in place. It’s also important to recognize that deception technology doesn’t depend on just one tactic. It includes several interrelated components, including authentic decoys assets, concealment technology, and attack redirection techniques:
- Deception: Today’s deception platforms place deceptive assets throughout the network to help detect discovery, credential theft, lateral movement, privilege escalation, data exploitation/theft, and other signs of attack activity. Tricking attackers into interacting with these deceptive assets gives the security team early notice of an attack, allowing them to rapidly respond before it can escalate.
These deceptive assets can include a wide range of things. For example, attackers frequently look to steal user credentials stored on endpoints, enabling them to move laterally throughout the network and even target AD. Today’s deception platforms can create false credentials indistinguishable from the real thing. The platform can immediately identify and flag any attempt to use those fake credentials as suspicious. Similarly, deception solutions can create assets like decoy file shares hidden from live users that present an attractive target for ransomware and other automated attacks. They can also create decoy documents with automated alerts to flag unauthorized access and suspected exfiltration attempts.
- Concealment: Today’s deception solutions don’t rely exclusively on decoy assets but can conceal sensitive files, folders, credentials, mapped shares, removable storage devices, and other assets as well. Since attackers cannot steal or encrypt what they cannot see, this can limit the severity of an attack or even prevent it from progressing. Modern deception solutions can hide these assets from would-be attackers while keeping them visible to the employees who need them, preventing any loss of productivity, and can be a potent ransomware deterrent.
- Redirection: A full-featured deception platform will have the means to redirect attack traffic attempting to connect to production systems to decoys for engagement. Defenders can then detect attack activity early in the attack cycle and gather critical adversary intelligence. With high-interaction deception, the attackers have no way of knowing that the decoy they are engaging with is not an actual production asset, allowing defenders to study their attack patterns. The decoys record this activity for forensic analysis and threat intelligence development, providing the defender with valuable information to defend against future attacks.
With these elements all working together, a complete deception solution delivers clear and concise alert data to security teams, allowing them to efficiently and effectively respond to events. A good deception platform can also integrate with other components of the network defense architecture, such as network, endpoint, AD, and other monitoring systems. Automated responses are also possible with native integrations that can further reduce the security team’s response times by enacting pre-programmed defense measures when suspicious activities meet certain conditions.
The Deception Checklist: What to Look For
Unfortunately, not all deception technology solutions are created equal, and organizations must identify whether a solution meets their specific needs. Below are a series of basic questions to consider before choosing a deception solution:
- Does the solution cover every environment in need of protection? Does the solution cover cloud, multi-cloud or hybrid environments? How about IoT, Medical IoT, ICS, or network infrastructure? Are userspace networks or remote worksites protected? It is essential to precisely know what the organization needs when vetting potential deception vendors.
- How effective is the solution when faced with different attack tactics? Is it effective at detecting reconnaissance activity? What about stolen credentials, attacks targeting AD, or lateral movement in general? “Detection” is a broad term, and one should know what the current and future needs may be before choosing a vendor.
- How comprehensive is the deception offering? Make sure the solution covers everything from the endpoint to AD to the cloud for maximum protection. Also, ask about what types of deception lures are available. Ideally, a comprehensive solution offers network, server, endpoint, application, data, database, cloud, OT, IoT, and AD lures, but many only offer some of these. Also, be sure to ask how these deceptions deploy and if they are static or dynamically updated, how much customization it is capable of, and whether machine learning can assist with preparation, deployment, and operations.
- How authentic is the deception? Deception is only effective if it can fool the attacker. The most authentic decoys run real operating systems that the organization can customize to match the production environment. Ask potential vendors whether their servers create real operating system decoys or use emulated ones. It should also be easy to refresh or rebuild the environment after an attacker engagement.
- How difficult is it to deploy and operate? Many organizations want their deception solution to be easy to use and scalable. Addressing questions like whether a given solution installs in-line or whether endpoint deceptions require an agent to maintain and how much automation the solution includes can help assess how much expertise and time is needed to install and maintain the system.
- How well does the engagement server analyze, identify, and report on attacks? Can the system identify attacks without known attack patterns or signatures, or is it reliant on searching for known TTPs? Furthermore, can it collect information from attacker Command and Control engagement and display that information comprehensively and in a usable manner? Threat intelligence is beneficial, but only if the security team can use it. Another interesting feature seen in modern platforms is mappings to MITRE ATT&CK, which can be helpful in quickly understanding the attacker’s tactics and techniques.
- How does the deception solution fit within the MITRE Shield framework? The MITRE Shield framework outlines how to build a successful Active Defense strategy, and deception plays a significant role. Ask which categories the solution fulfills and how many of the 33 techniques and 190 use cases it covers. If a deception solution does not map well onto MITRE Shield’s recommendations, steer clear.
Make Deception a Part of One’s Active Defense Strategy
Deception technology is crucial to any organization, providing the means to engage in Active Defense and improve overall network security. Deception can enhance the efficiency and reaction time of the security team while reducing attacker dwell time and increasing the ability to gather critical adversary intelligence. Unfortunately, deception solutions can vary widely in their effectiveness, and organizations need to ask the right questions—and look for the right answers. This checklist should provide today’s organizations with a valuable lens to evaluate and assess deception technology vendors, ensuring that the solution they choose can meet their specific needs.