Seven Myths and One Compelling Fact about Deception Technology
By: Carolyn Crandall
In my day-to-day conversations with the security community, including at the 2017 ISSA International Conference held in early October in San Diego, I continue to be surprised by misconceptions some very experienced cybersecurity professionals have about deception technology. I suspect it is mostly awareness, but sometimes I wonder if hackers spread these myths to deter companies from deploying deception. In this blog, I will share seven of the most common misconceptions and one very compelling fact.
Building, maintaining, and enhancing a highly robust adaptive defense should be a number one priority for every organization, however despite their best efforts, we still read every day about breaches from companies such as Equifax, Deloitte, Pizza Hut, Hyatt Hotels, and Red Cross. What these breaches point to is an inability for organizations to achieve 100% prevention security and that they must take a different approach or risk being breached and added to an unenviable list of compromised companies.
Deception technology is proving to be an exceptionally accurate and effective solution for detecting threats that have bypassed perimeter and anti-virus defenses. Gartner has promoted deception as a recommended 2017 security initiative and Attivo has engagement with over 350 organizations in various stages of evaluation and proof of concept. With all these great successes, it is natural to ask: What is holding companies back from adopting this technology?
Let’s dispel some of these common myths about deception and why these myths should not be inhibiting the broad-scale use of deception for threat detection:
Deception is only for outside the network and is a research tool
False. DecoyDoc technology was originally designed to research what types of attacks were happening outside the perimeter. The purpose was mostly for research and not for production level, scalable detection. Deception-based detection technology is different in that it identifies threats that have bypassed perimeter defenses and are inside the network. This has considerably more value to companies that lack visibility to detect in-network threats and their lateral movement. The lack of visibility is why attackers maintain an average of 99 days undetected within a network and why we see so many breaches go undetected until it is too late. By adding deception to endpoints and decoys within the network, customers gain accurate detection of initial reconnaissance and harvesting of credentials, along with the offensive advantage to reveal attacks early.
Deception is easy for an attacker to detect and avoid
False. Deception solutions, such as the Attivo ThreatDefend™ solution, run real operating systems and golden images to make the decoys high-interaction and appear identical to production assets. Additionally, dynamic deception campaigns continually refresh the environment’s assets and credential lures, while Active Directory integration provides an additional level of deception and credential verification. Data deceptions in the form of DecoyDocs are also providing invaluable counterintelligence to help organizations understand what attackers are seeking, where documents are ending up, and additional insight into attacker motivations. The authenticity and attractiveness of deception has been proven at scale with a number of Fortune customers, effectively detecting human and automated attackers. It has become so highly authentic that even the best Red Teams have been fooled during pen tests. Deception has also been applied in multiple capture the flag events, again demonstrating its ability to confuse and misdirect attackers.
Unique to Attivo, the Camouflage deception framework dramatically enhances deception authenticity in four key ways:
- High-interaction deception based on real operating systems and customizable services
- Deception Campaigns that use machine-learning to learn the behavior traits of a network, applications, and device profiles and propose deception campaign profiles for the highest authenticity
- Adaptive campaign deployment will automate the deployment of deceptive campaigns based on assets, deceptive credentials, and network behavior based on preset parameters or suspicion of attacker presence
- Dynamic respinning of deception will automatically occur after an attack to avoid attacker fingerprinting
Collectively, these features empower an organization to create an authentic deception environment and change the game board on attackers, dramatically increasing the effort and costs needed to advance their attack.
Deception requires highly skilled staff to operate
False. This is a legacy belief that is only attached to DecoyDoc based deception or deception solutions that deploy inline. With today’s deception, decoys are projected and not deployed inline. This creates a frictionless, highly scalable solution that is easy to deploy and operate. Adaptive deception campaigns will also fully automate the ability to change, on demand, deception configurations at scale. Additionally, operations are extremely efficient because alerts are based on actual engagement (zero false positives) with assets or deception credentials and have the attack analysis detail to substantiate the threat. Built-in forensic reporting will also remove many manual steps in correlating attack information and documenting findings. Unlike early generation DecoyDocs, the Attivo deception platform is designed to auto-rebuild after each attack, removing the time and skills that were previously required. Attivo has many customers that have deployed the ThreatDefend platform globally, without the need for additional staff. Many will state that the ThreatDefend platform makes them more efficient as it automates the attack information correlation and its integrations with third-party SIEM and prevention system integrations save them time by automating incident handling and the attack information sharing process.
Deception is hard to install, difficult to operate and not scalable
False. However, this is where all deception is not created equal. The Attivo ThreatDefend Platform includes multiple features that make it easy to deploy, operationalize, and scale from user networks to data centers, to cloud or to other specialized environments. This is achieved through dynamic deception campaigns, deployment options that include integration with EDR solutions from companies like McAfee and ForeScout; a non-inline design; and agentless deception lure configurations. Threat handling is also simplified with a comprehensive threat intelligence dashboard that includes attack analysis and dashboard features that facilitate forensic reporting. The Attivo Attack Threat Analysis (ATA) engine removes manual work by capturing and cataloguing attack activity to support understanding of the attack’s anatomy and objectives that can lead to a better overall security stance. Security professionals have access to detailed attack information through UI, PCAP files, syslog, IOC, and CSV report formats. Attack information can also be automatically shared through 3rd party integrations with firewall, NAC, endpoint, and SIEM vendors in order to automate incident response and attack information sharing. Attivo customers can also purchase a ThreatOps™ license for the creation of repeatable incident response playbooks.
Deception provides no incremental value to the security infrastructure
False. Deception achieves early and accurate threat detection at the end-point and in-network for both human and automated attackers. Deception solutions are not reliant on signatures or known attack patterns, thereby making them highly effective for reconnaissance, stolen credential, man-in-the middle and Active Directory-based attacks. Dynamic deception platforms will also provide automations and integrations for simplified incident handling and accelerated incident response. The end-point is the typical point of entry for an attack and the Attivo ThreatStrike™ Endpoint Deception Suite is designed to strengthen endpoint defenses by immediately misdirecting an attack through deceptive endpoint credentials or ransomware lures to a deception engagement server, which will reveal the attacker’s presence and actions. Network decoys will also notify on attacker reconnaissance and lateral movement, providing security teams with early notification of attacks and the time to shut down the attack before damages can be done.
Gartner analyst Peter Firstbrook recently defined deception as, “The most advanced approach for detecting threats within a network,” and another Gartner analyst, Neal MacDonald, has called out deception as one of Gartner’s “Top Technologies for Security in 2017,” noting, “Deception technology can be used to thwart or throw off a potential attacker. They allow enterprises to better detect attacks with a higher level of confidence in events detected.”
Deception is just a form of DecoyDoc
False. At the most basic level, there is some commonality. Both are designed to confuse, misdirect and delay hackers by incorporating ambiguity and misdirecting their operations. But that is where the similarities end. While DecoyDocs had a purpose, there were several weaknesses: DecoyDocs were simplistic and based on emulation, and as such not very authentic. Hackers therefore, had an easy time identifying and avoiding them. They also tended to be hard to maintain, which sapped resources of the security teams or limited their use to research vs. production deployment. Today’s deception solutions are dramatically different and are designed for authenticity and high-interaction attacker engagement. They are no longer based solely on the element of surprise and are designed for the anticipating attacker.
Our upcoming article in Dark Reading will go into quite a bit more detail about the difference between DecoyDocs and deception-based detection technology. (Note: after the article appears, we will change this sentence and add a link) In the interim, you can also read more in the blog post on (deception vs. DecoyDocs)
I also promised you one compelling fact and here it is: Deception works accurately and efficiently for early detection of in-network threats regardless of the attack vector or today’s evolving attack surface. The key here is early detection. Deception does not need time to “get good” and can add value immediately in providing visibility when other security controls have failed. Regardless of whether you have the most or least sophisticated security controls, everyone needs to know what’s lurking in their network.