By Wade Lance, field CTO, Illusive Networks
When security professionals hear the word “deception,” they tend to immediately think of honeypots. That association needs to be updated. The concept of honeypots goes back a long way; IT security researchers began using honeypots in the 1990s. Their goal was to trick an attacker into interacting with a fake system. Honeypots were designed to capture and analyze attacker behavior in a safe environment, not to detect threats. The deception technology landscape has evolved considerably since then.
Honeypots vs. deception technology
It turned out that honeypots aren’t very effective at detection – they tend to be limited in scope and easy for professional bad actors to identify. As detection methods have advanced, attackers responded by focusing their attention on remote hosts where their beachhead has had a historical interaction. So the value of honeypots plummeted as detection tools as attackers abandoned network scans in favor of using the history they found on the beachhead. Production users don’t interact with honeypots, so attackers don’t either. When an attacker does stumble over a honeypot they pretty quickly figure out they aren’t real systems.
Deception technology holds a lot of promise, especially for early and efficient threat detection. However, to fully realize that potential, deception needs to go well beyond the honeypot.
Honeypots are difficult to distribute widely and require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means there are never enough to effectively detect threats. Any value a honeypot strategy has for detection is based on a fairly specious hope – that an attacker will accidentally trip over or be lured into it.
That hope has grown increasingly thin over the years as cybercriminals have gotten wise to the honeypot ruse. Experience, crowdsourcing, and widely-available tools now help attackers distinguish honeypots from real systems containing the valuable data they are targeting. To be an effective detection tool, deceptions must be inevitable, undetectable, and inescapable. Even today’s more advanced honeypots are none of these things.
As mentioned, honeypots in a decoy role were originally intended to allow the defender to observe attacks in progress. As such, they still serve an important purpose in threat research. They can be used effectively for forensic analysis, threat hunting, and developing responses to malicious behavior. Honeypots may still prove useful, but not as the centerpiece of a modern deception technology strategy focused on threat detection.
What does next-generation deception technology offer?
Next-generation deception technology gives defenders the earliest and most effective method for detecting and halting an attacker’s movements once inside the network. At the same time, deception dramatically increases the effort and costs for the attacker.
Automation and machine learning support rapid deployment and touch-free refreshes to maintain deception authenticity. Intelligent deception systems can recommend and craft customized network, system, application, server, and data deceptions that appear native to the environment.
Currently, honeypots gather data in isolation. Next-gen deception technology moves the focus of deception beyond the honeypot to the endpoint, server, and device. This approach gathers information across the production environment, provides previously unimagined visualization of the attack surface, and offers highly efficient detection of cyber threats at the attack beachhead.
Evaluating next-gen deception technology
When it comes to selecting a next-gen deception technology solution, here are some best practices to make the evaluation process easier:
Make sure it SMAQs: an effective next-generation deception solution must be Scalable, Authentic, Manageable, and Quiet. These traits would seem to speak for themselves, but we are often surprised to find deception products that are hard to deploy, easily recognized as fake, require extensive handholding, and still produce unacceptable levels of false-positive alerts. Caveat Emptor.
Focus deception on the production system: Honeypots focus on diverting attackers away from the production system, but this is no longer enough. As mentioned above, next-generation deception methods need to focus on the production systems themselves. When evaluating a potential solution, it’s important to make sure the focus is on the production environment and not just aimed at diversion. This is especially true in larger environments.
Getting value out of your deception platform beyond detection: When it comes down to making an investment in deception technology, it’s important to choose a solution that offers you aspects beyond threat detection. A well-architected deception-based solution will offer enhanced visibility, attack surface reduction, precision forensic data to speed response, as well as threat hunting and intelligence gathering.
Moving from a reactive/passive defense to an active defense: Cybercriminals will continue to evolve and become more sophisticated in their approaches. That’s a fact. Organizations cannot afford to take a purely reactive or passive approach to defense. Being proactive will make a world of difference in protecting your organization from damaging breaches and attacks. The best approach provides so much false data to attackers on production costs that they can’t orient themselves or make effective decisions. Never underestimate the power of creating frustration for the attacker. They are people too, and quickly move out of environments where it is just too difficult to operate.
Integrations are also important: Next-generation deception technology should also integrate comfortably with other security solutions. That includes Security Incident and Event Management (SIEM,) Endpoint Detection and Response (EDR) and Security Orchestration, Automation, and Response (SOAR) systems. Having these integrations helps ensure the threat detection capabilities can enhance the resolution capabilities of other technologies as well.
A new day in network security
Honeypots were a novel invention in their time – but that time has passed. They still have their usefulness but have been overshadowed by a better, smarter option for the purposes of quick threat detection: the new breed of distributed deception technology. Today’s deception technology is scalable and automated, providing true early detection to shut down attacks quickly. IT professionals must vet potential solutions carefully to ensure the organization gets the active network defense it needs.
About the Author
Wade Lance, field CTO of Illusive Networks, has been productizing new technologies in education, healthcare, and information security for over 20 years. He has diverse experience in solution design for global 1000 cybersecurity teams, an extensive background in advanced cyber-attack detection, and a specialty in cyber deception methods and platforms. Prior to his career in information technology, Lance was a professional mountain guide. As program director at Appalachian Mountaineering he developed a new method for technical rock and ice climbing instruction that is still used today to teach advanced skills for the most dangerous environments.