Emerging technologies come with a lot of promises and ROI expectations. Some move forward and thrive, while others just fade away. Modern cyber deception platforms started appearing in 2015 with signs of not merely being a honeypot, but for being a better form of detection against better attackers. Now, five years later, the technology has quietly secured its place within the security infrastructure of organizations, both small and large. I highlight “quietly” because it is deception, and adopters prefer not to let the world or even their employees know that they are using it.
So, who are these stealthy users? As one would expect, large companies and government agencies have been aggressively adopting cyber deception. Over half of the Fortune 10 is rumored to be users of the technology. What tends to surprise people is the overall percentage of mid-market customers. Independent research estimates that about 60% of deception deployments are within companies with less than 5,000 employees. Adopters of deception technology range across financial, healthcare, technology, energy, retail and hospitality, legal, and a variety of other industries. Sometimes adoption is driven by compliance needs, but more often, merely the need for better threat detection for both external and internal threats.
What makes a cyber deception platform so appealing is its ability to accurately detect threats early in the attack lifecycle across a wide variety of attack vectors and attack surfaces. If you reference the MITRE ATT@CK framework, deception plays a critical role in stopping the attack at step one, something that other security tools are not designed to do. Value to defenders goes beyond early detection and surfaces in the fidelity of the alerts, its ease of operation, and ability to automate analysis and incident response. There are many use cases that deception can address, though overwhelmingly customers are buying for lateral movement and insider threat detection.
Here are five primary use cases for detection solutions, along with the impact that deception makes for reducing risk and improving operational efficiency.
Deception technology uses machine learning to discover the network and for building deceptions that mirror-match the environment. This process allows the platform to see new devices coming on to the environment and to gain visibility into misused or orphaned credentials. This visibility provides insights to understand lateral movement attack paths and to reduce the attack surface by removing these exposures.
The latest deceptive capabilities equip defenders with the ability to detect unauthorized queries on Active Directory (AD) and to return false data without touching the production environment. Attacks are then redirected into a decoy, causing the attacker difficulty in discerning real from fake or trust in their tools like Mimikatz, Bloodhound, PowerShell, etc. In this case, even the mere act of observation alerts a defender to undesirable behavior.
Stopping an attack during and after execution
This categorization is reflective of traditional tool operations, as most detection tools will activate once an attack is underway. Although deception is applicable for this use case, the solution is more proactive and designed to detect early, typically triggering before the attacker even takes any malicious action. Deception is built for better detection against better attackers, with the intent to detect and disrupt attacks early, regardless of the vector. This includes the detection of activities for accessing credentials, exploration of lateral paths, Active Directory recon, the discovery of network assets, active mapped shares and ports, and man-in-the-middle attacks. A recent survey by analyst firm Enterprise Management Associates (EMA) found that users of deception were reducing their dwell time to an average of 5.5 days, as compared to non-deception users who reported an average of 61 days. This 90% improvement also aligned with 91% of users citing their confidence in the efficacy of deception solutions. Additionally, 98% found value in the technology, with 71% stating it had exceeded their expectations.
Many deception adopters were attracted to the solution because of its comprehensiveness, attack surface coverage, and for its centralized management. A full deception fabric will include detection for user networks, cloud (AWS, Azure, Google, Oracle), datacenters, remote offices, network infrastructure (routers, switches, VOIP, print services), and specialized environments (IoT, medical IoT, ICS-SCADA, and POS). Management can be centralized on-premises or in the cloud.
Removing and remediating an infection
Unlike other detection controls, deception goes beyond alerting and gathers adversary intelligence so that defenders can quickly understand the attack, confidently shut it down, and prevent a similar recurrence. The ability to gather real-time intelligence is a unique benefit of deception and is extremely valuable for gaining the upper hand against attackers. Native integrations can also facilitate automated incident response including isolation, blocking, and threat hunting. Advanced deception platforms can also automatically remediate exposed credentials on the endpoint. In Red Teaming scenarios, the blue team detected intrusions in under an hour with containment in under 30 minutes and full restoration of services in under 30 minutes. The in-depth attack data allowed the teams to detect and respond confidently without having to spend hours in triage.
Use of threat intelligence
Defenders gain high-fidelity alerts that are substantiated by the environment’s attack analysis, forensics, and collection of adversary intelligence. This provides valuable insight into adversary and threat intelligence required for blocking, isolation, threat hunting, and return adversary mitigation. In addition to appending information from known threat intelligence databases, solutions with a built-in sandbox will also gather the full TTPs and IOCs of an attack. Native integrations and playbook automation go one step further in facilitating information sharing with other security controls and accelerating incident response and remediation.
Additionally, planted decoy documents allow defenders to gather counterintelligence related to attacker intent. This capability can be instrumental in understanding what type of information an attacker is after and in how an attacker is gaining access.
After the fact investigation
Whether it be for the purpose of post mortem incident evaluation, Red team exercise, or insider threat substantiation, deception records all attack activity and provides irrefutable proof of unauthorized activity or policy violations. This in-depth information can be extremely useful in demonstrating security resiliency, ongoing security control functionality, and security controls related to insiders and suppliers.
Cybersecurity has traditionally centered on preventative defenses that begin as a reaction to an event. Now, with cyber deception, organizations can proactively detect and derail threats early so that attackers cannot establish a foothold or complete their mission. With deception lures and landmines attackers can no longer trust that they know real from fake and will make mistakes, be forced to spend more time, start over, or find an easier target. Simply put, deception provides better and no-nonsense detection against even the craftiest of cyber adversaries.