Deception Technology—Useful Tool or Just More Busywork?

By Tim Roncevich, Partner, CyberGuard Compliance

Infosec professionals are losing ground in the war on cybercrime

“Cybercrime has surpassed Drug Crime as the largest form of global thievery since 2018 and continues to grow.  At Cyber Defense Magazine, we predict that Cybercrime will account for over $7 trillion in theft and damages by 2021,” said Gary S. Miliefsky, Publisher of Cyber Defense Magazine and Cybersecurity Expert.

Forced to defend against an abundance of threats with a shortage of resources, understaffed teams and overworked workers are deploying deception technology as a defense against data breaches, hoping to proactively trap would-be cybercriminals.
Deception technology involves creating a fake network solely for identifying intruders. After you ferret them out, you can bar them from future access to your entire network.
Though deception itself has long been a cybersecurity tactic, modern technology has made it increasingly popular. In its early stages, deception technology was limited to “honeypots”, whose simplicity, for the most part, relegated them to usage by smaller organizations. Attackers eventually learned to spot them because they didn’t change, thus reducing their effectiveness.

Deception 2.0 technology mitigates advanced threats by detecting, engaging, and responding to the tactics, techniques, and procedures of those threats. Robust detection systems within your network provide stronger protection.
However, deception technology is not suitable for all organizations. If it isn’t adequately supported, it could end up being busywork instead of a useful tool. Here are a few pros and cons of deception technology:

Pros

Fewer false positives: If someone is moving in the fake network, they likely do not belong. Following their activities can give you clues as to how they might attack your real network. Then, you can bolster your defenses by learning from the attack patterns that you have uncovered.

Earlier alerts: Given that cybersecurity breaches are active on enterprise networks for an average of 200 days before they’re discovered, high-fidelity alerts help you protect legitimate assets because you can secure them while the intruder is in your false network.

Pervasive deception: Spotting intrusions early allows you to escalate your responses. You can deploy decoys, breadcrumbs, baits, and lures to engage and eliminate threats at various levels.

Scalable defenses: Deception technology has evolved well beyond honeypots. Rather than relying on a single static ploy, you can implement a whole system that mirrors your actual environment, making it more likely that you will fool intruders. Deception 2.0 technology also can be used in the cloud.

Cons

False reliance: If you’re waiting for an intruder to wander into your fake network, you may be too late. They could be in your real network instead. Your false sense of security could cause you to miss a threat.

Expansive resources: Deception technology can be expensive. In addition to the initial investment in building an extensive false network, you have ongoing maintenance costs and occasional upgrade costs to keep your false network believable. You may also have to remediate damages to other systems if an intruder moves beyond the false network.

Needs support: You can’t depend solely on deception technology because it only guards against intrusions. You must incorporate other defenses because breaches are increasingly difficult to prevent. You also must implement cybersecurity measures that can help you if a breach occurs.

Alarm fatigue: If you are overworked and understaffed, one more piece of technology may not make any difference. Though you still should investigate what is going on and take action, if you’re overworked, you may suffer from alarm fatigue and skip another seemingly mundane task, leaving your network vulnerable to attack.

Final thoughts

At the end of the day, deception technology can be useful for detecting an intruder before a breach happens, but it is not a set-it-and-forget-it purchase. You must invest in the resources you need to adequately recognize (and respond) to threats. You have to be able to invest in the staff and technology necessary to build and maintain the network and catch hackers in the trap. If you don’t, you will likely frustrate your team by spreading them too thin.

Similarly, deception technology should not be used as a band-aid for a more serious systemic problem. If you do not have proper security controls in place that have undergone a SOC 2 audit by an independent third party, your system could be more vulnerable than you think. Your fundamentals should be rock-solid. No amount of additional threat detection can replace this. Although deception technology is proving to be a useful tool for proactively detecting threats, it should only be used by those that have the time and personnel to properly use it.

About the Author

Tim Roncevich is a partner at CyberGuard Compliance. Tim worked previously at a large global accounting firm, where he specialized in SOC audits. With over 15 years of professional experience, Tim has an excellent diversity of skills to effectively serve his clients. Tim’s industry expertise includes Service as a Software (SaaS), manufacturing, technology, banking, retail, consumer products, mortgage, and professional services. Tim can be reached via LinkedIn and at our company website https://www.cgcompliance.com/