Enterprises and their Security Operations Centers (SOCs) are under siege. Security events are being triggered from all corners of the security stack – from the firewall, endpoints, and servers, from intrusion detection systems and other security solutions.
What’s more is that security teams do not have enough people or hours in a day to analyze the alerts that are coming in, and most ‘security events’ don’t even imply an attack in progress. They often are simply sharing information (failed connections, for example) or are what we call ‘false positives’ (when a solution thinks it has found a specific vulnerability, but in fact, it hasn’t.)
This is important because today, attackers use stealthy tactics that leverage these security challenges – after infecting an asset inside an organization, they keep a low profile, moving laterally in the hunt for valuable, sensitive data. The longer they stay in the network, the harder it becomes to detect their trail. The average ‘dwell time’ – how long an attacker or malicious insider is inside an organization’s network – is measured in months, with some estimates in the 200+ day range.
That’s why it’s critical for organizations – both large and small – to focus their cybersecurity strategy on earlier detection and faster response. One of the technology trends that is promising to do this, is deception.
What is deception technology?
Sun Tzu said it best in his book on The Art of War: “All warfare is based on deception.”
‘Deception’ is a classic tactic used in warfare, both for protection and as a mechanism to attack enemies. One of the best-known deception operations conducted during World War II was when the British deceived the Germans in Operation Mincemeat, which preceded the invasion of Sicily. This was a classic operation of planting strategic misinformation in order to deceive the enemy and distract them from the real place where the attack actually took place.
The idea behind a cyber deception strategy is similar. Organizations often know to varying degrees what the attackers are looking for, what they expect to find, and how they might attack and use the information they find – so why not use this against them?
The ultimate goal of deception is to lure attackers to ‘decoy’ assets that look and feel real but aren’t. This can be done through different methods including traps in the network, on the endpoints and servers, data traps, and more. By engaging with the decoy or deception environment, attackers or malicious insiders essentially reveal themselves to the organization – but they don’t know it.
5 ways deception is changing the cybersecurity landscape
Often people hear ‘deception’ and they immediately think of ‘honeypots’ – which is basically a static decoy that imitates a simple computer system and does nothing unless an attacker stumbles across it. However, deception technology has greatly improved beyond the honeypot concept today. How? By being active – both in luring and baiting attackers to a deception environment, as well as in the decoys.
Here are five ways deception technology is changing the cybersecurity landscape:
1. Maximum accuracy with minimal human investment
When a deception solution triggers an alert, organizations know it is an accurate incident no matter what – goodbye false positives! Any access to the deception layer is by definition malicious and the security team has to investigate it immediately. With cybersecurity teams struggling to focus on real threats due to all the “noise” that is generated from the multiple layers of security tools and the lack of personnel to physically triage and investigate each alert.
2. Get personal with your business
Deception has taken the honeypot concept to another level. It structurally learns and adapts to your organization’s network and cloud environments. Decoys change to match the real environment as it changes. Additionally, solutions that use ‘breadcrumbs’ can strategically lure attackers and malicious insiders to the decoys. This ‘personalization’ is critical to a modern deception defense – to ensure that the deception components always look and feel real to bad guys.
3. Ensure a post-breach defense for any type of attack
Cyber attacks come in many forms. Deception provides a post-breach defense that is agnostic to the type of attack. Whether the attack is by spear phishing, drive-by download, or comes through from a connected device, deception lets you know there is someone inside your network looking to steal data.
4. Triggers threat hunting operations
Threat hunting exists in only the largest, most mature security organizations. But even smaller companies can make this highly advantageous strategy work with deception. Deception provides the first true signal of an infected asset that a threat hunter can use to quickly begin the investigation process.
5. Empowers organizations towards strategy and active defense
Traditional security attempts to block and prevent threats. It’s a constant game of cat-and-mouse. Deception changes this game by giving defenders the ability to learn about attackers in a similar manner that attackers try to learn about their targets. Once they know an attacker is in the network, they can observe their behaviors and patterns. This intel helps security teams better understand what attackers are after and the best way to respond.
While prevention defenses are certainly still needed, it’s clear that advanced threats still have too much success. Early detection is now more critical than ever. Every business needs to be strategizing about how they plan to fill the detection to infection gap.
There are several vendors offering deception, including Fidelis Cybersecurity, Trapx, Attivo and Illusive Networks. Deception is one technology that can significantly reduce dwell time. On top of this it is easy to install, does not require a lot of resources to manage, and it increases the effectiveness and the efficiency of security teams.
For companies considering this technology, deception should be tightly integrated not only with the SIEM but also with endpoint solutions (EDR/ EPP) and with network security solutions to ensure a pre- and post-breach defense that strengthens the security posture of the organization.