The buffet of IT security solutions is maddening – so many products, so many promises – but what will protect your organization?
Deception technology is less of a fringe player these days. Although it has been on the radar of well-heeled organizations for some time, it is becoming accessible to smaller organizations with fewer resources thanks to more manageable and affordable product offerings.
Deception focuses on deploying assets – such as lures, bogus files, honeypots or simulated SCADA or IoT devices – in hopes of diverting attackers, imparting clues as to how the actual production resources may be or are actually under attack.
It’s an attractive proposition in that by default, probes of fake IT assets are invariably not false positives and are quality alerts. But deception technology also isn’t preventive. It’s the equivalent of hearing a car window being broken in an alley.
In their most recent analyses, Ovum and Gartner give deception technologies kudos for improved sophistication and maturity. Some vendors can now deploy vast deceptions in minutes with a genuineness that’s unlikely to trigger suspicion.
But whether deception works for an organization depends on a variety of factors, including how well the deceptions are deployed and how much time an organization is willing to invest in maintenance and ensuring the intelligence translates into something actionable. Here are some aspects to keep in mind.
Setting a Trap
What kind of deceptive resources should be deployed? Lures or breadcrumbs can give a clue to attacker’s modus operandi, but interaction between it and the attacker is fleeting, according to Ovum’s market radar report. Ovum’s report covers Acalvio, Attivo, CounterCraft, Cymmetria, Fidelis, Illusive Networks and TrapX.
Honeypots, sometimes referred to as full-stack decoys, are more sophisticated in that they allow for more interaction with an attacker. Full-stack decoys, which can be set up to resemble a company’s real network, can be more labor-intensive, but they are becoming easier to deploy at scale.
Emulations seek to mimic real devices or applications. These are cheaper than full-stack deployments, but it may be easier for attackers to figure out they’re fakes, Ovum says. Also, Active Directory deceptions aren’t possible with emulations, and AD is often a sought-after flag for attackers.
Emulation, however, may be the only option for, say, SCADA environments, due to the proprietary nature of much of the technology.
Rik Turner, a principal analyst at Ovum who authored the report, says it’s not a surprise that an early adopter of deception has been the financial sector, which has large IT security operations, including dedicated threat-hunting teams.
“The more sophisticated the organization, the more value they’re going to get from it [deception] because you’re not just doing this to keep the bad guys out,” Turner says. “You’re also wanting to do reconnaissance on who’s attacking you. In other words, this is a data gathering exercise as well as a repellent.”
Deception has typically been considered something nice to have, but not as a replacement for network analysis, endpoint detection and response or behavioral analysis tools.