How to Evaluate Deception Platforms and Checklist
By: Carolyn Crandall, CMO, Attivo Networks
With over 700 reported breaches occurring annually, a modern day adaptive security approach requires a combination of prevention and detection technologies. Even the most state of the art prevention solutions cannot keep every attacker out. Being able to promptly detect threats that have bypassed prevention systems becomes a critical line of defense in preventing the exfiltration of data, PII information, and/or potential harm to critical infrastructure or a company’s brand reputation.
This blog will provide an overview on what deception technology is and how it provides an efficient and effective solution for detecting inside-the-network threats in real-time. A useful checklist is also included, which can be used by organizations to understand the elements of a comprehensive deception platform and how to evaluate both the breadth and depth of deception offerings.
What is deception technology?
Deception technology is designed as a network “motion sensor” that will alert organizations, in real-time, of threat actors that have bypassed cyber security prevention solutions and have made their way to the inside of the network. Deception systems will turn the network into a ubiquitous trap through the usage of deception techniques that are designed to confuse, misdirect, and delay attackers by incorporating ambiguity and misdirecting a cyber attacker’s operations. This provides an early alert system and the much needed time and visibility to thwart the attack and remediate infected systems.
What does deception technology do?
Deception platforms are based on high interaction engagement servers working in conjunction with decoys and deception lures to deceive, detect, and analyze attacks.
Deception platforms are designed to detect and analyze all threat vectors including reconnaissance, stolen credential, phishing, and ransomware. Unlike a decoydoc (an early stage form of deception), which was designed to be a low interaction decoydoc for detecting automated scanning tools and worms, , deception is designed to detect inside-the-network threats and their lateral movement by human attackers. Deception is not reliant on signatures or known attack patterns making it extremely effective for gaining real-time visibility into attacks such as Zero day, stolen credential, and insider threat actors.
Comprehensive solutions will be able to detect threats in user networks, data centers, cloud, industrial control system (ICS- SCADA) and Internet of Things (IoT) environments. These platforms will turn the entire network into a trap and once the attacker is engaged, they can also safely analyze attacks to attain the forensic data required to quarantine an infected device and update prevention systems to block against current and future attacks.
Who uses deception technology?
Every organization that is concerned with protecting their most critical assets (company data and intellectual property (IP), Personally Identifiable Information (PII), critical infrastructure, etc.) should be looking at deception as part of their security infrastructure. Given the number of breaches that are occurring on a daily basis, today’s secure posture requires an “assumed breached” approach that includes a mix of prevention and detection solutions.
Deception is becoming widely adopted by Fortune and midsize organizations across financial, healthcare, high-tech, retail, entertainment, energy, government, and many other verticals as organizations seek an efficient solution for inside the network threat visibility as an augment to their prevention systems.
Why is deception technology important?
Prevention alone has proven insufficient to stop attackers from getting into a network. The reality is that they can’t be effective with 12 new attack strains being produced per minute, two out of three attacks come from stolen credentials, 43 percent of data loss coming from insider and 3rd party threat actors and security operations center (SOC) teams are expected to keep up with an average of 14 alerts per hour… An attacker on average, go 7+ months before organizations even know they have been breached and by then it is too late.
Organizations are realizing now more than ever that that inside-the-network threat detection is a must and that deception offers the most efficient and cost effective way to quickly detect all types of cyber threats. Paul Proctor, Gartner Analyst, has published a paper titled “Shift Cybersecurity Investment to Detection and Response,” which serves as a good reference to why detection is needed in addition to prevention solutions.
How does deception technology work?
It is important to understand that deception is not another layer of prevention. It is also different than Intrusion Detection Systems (IDS/IPS) systems and big data monitoring, which although they are methods for detecting attacks, are challenged by reliability and the need for highly skilled resources to tune the systems, analyze the data, and to manage the number of false alerts that are often generated as a result of pattern matching and anomaly detection techniques.
Deception takes an entirely different approach to cyber defense. Deception is designed to detect what prevention systems have missed and to give organizations the real-time visibility to know what is lurking in their network. Deception is inherently efficient since it uses deception vs. monitoring signatures or attack patterns to detect a threat actor. Systems are easily installed in under 30 minutes, and alerts are substantiated with detailed attack forensics based on actual engagement. Alerts can be viewed in a threat intelligence dashboard, easily reported on or can be set up to integrate with prevention systems to automatically block attacks and quarantine infected devices. Given the simplicity of management and the high fidelity of alerts, additional resources are typically not required to operate a deception platform.
It is important to note that not all deception platforms are alike and there is a wide variance in breadth and depth of solutions. Many providers only have partial solutions such as an engagement server or endpoint deceptions or they may not work in a user network, data center, or cloud environment. They may support full customization and operating systems or only an emulated environment. It is highly recommended to do your research and understand how complete a vendor’s offering is and whether it can meet all of your needs.
Here is a checklist for how to evaluate the elements of a comprehensive deception platform, including the criteria, which can be used for your evaluation.
- What environments are supported?
- Will the solution support user networks?
- Can the solution scale to operate in a data center?
- Will you need cloud security? AWS, Azure, OpenStack, VMware
- Do you need detection for Industrial Control System or IoT environments?
- How effective is the detection?
- Stolen Credential
- How comprehensive is the deception? Deception lures are based on a variety of deception techniques that are placed on endpoints and servers and are used to lure attackers to the engagement server. Deception lures should cover layers 2-7 and regularly refresh for the greatest level of effectiveness.
- What type of deception lures are available
- Are the deceptions static or do they dynamically update?
- Do they support the OS you need?
- Do they require an agent to maintain?
- How easy are the lures to deploy and update?
- What type of deception lures are available
- How authentic is the deception? Engagement or deception servers, run real or emulated operating systems and services, and are designed to lure attackers away from production servers. Deception servers running real operating systems with the ability to customize to your environment, provide the highest level of authenticity.
- Are the servers running real operating systems or are they emulated?
- How extensive are the services?
- Can you load a “golden image” or customize services to make the deception servers indistinguishable from production servers?
- Can they deceptions be designed to match hospital devices, SCADA or IOT environments?
- How difficult is it to install? Some deception engagement servers require network integration and monitoring of all traffic while others can reside off of a switch and don’t require a network redesign or traffic redirection assessments.
- Is in-line deployment required and if so, what network and compute changes need to be factored in?
- How well does the engagement server analyze, identify, and report on attack findings.
- Can the system identify attacks without known attack patterns or signatures?
- How comprehensive, safe and manageable is the analysis environment? Advanced deception systems can open communications with the Command and Control (C&C) to understand more about attacker methods and tools being used.
- How comprehensive is the attack information and how is it displayed or information shared?
- Clarity of information
- Detail drill down
- Information Enrichment (I.e. Virus Total)
- Report formats: IOC, PCAP, STIX, CSV, etc.
- 3rd Party Integrations
- Automated or manual with SIEM, Firewall, Patch Management, etc.
- How accurate and detailed are the alerts?
- Can they be customized based on level of attack finding?
- How clear is it to quickly identify areas of greatest concern?
- Is all the detail required for incident response and infected system quarantining provided?
What else should a person evaluating deception know?
- Deception is only for outside the network – The focus and value of a deception solution is for detecting inside-the-network threats.
- Deception is easy to detect – Deception that runs real operating systems, allows customized images and services, and dynamic deception lures will appear indistinguishable to an attacker.
- Deception is hard to install – Installation and activation of detection solution occurs in less than 30 minutes.
- Deception requires more staff to operate – Alerts are based on actual engagement (zero false positives) with server and have substantiated forensics to make each alert actionable. The environment also auto-rebuilds after each attack. Additional staff is not required to operate the platform given the high quality alerts, depth of reporting, and 3rd party SIEM and prevention system integrations.
- Isn’t deception just a decoydoc? – At the most fundamental level, there is some commonality. They are both designed to confuse, misdirect, and delay the enemy by incorporating ambiguity and misdirecting their operations. Beyond that, however, the technologies are quite different. More information can be found at this blog, which explores the origins of decoydocs and explains why comparing a decoydoc to a deception platform is like comparing a horse and buggy to a Tesla.
I would encourage anyone interested in purchasing a deception platform to get a demo so that you can see the full functionality and user interface of the solution. I hope that you find this overview and checklist useful and welcome additional thoughts on ideas for evaluating deception platforms and their functionality.