Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/1/2015
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Deceit As A Defense Against Cyberattacks

A new generation of 'threat deception' technology takes the honeypot to a new, enterprise level.

It's not technically hacking back, but it's definitely a more aggressive way to defend your network. A wave of startups and established security firms are offering deception-based security technologies, a sort of next-generation, proactive honeypot approach for enterprises.

Gartner calls this emerging sector "threat deception," and predicts that 10% of all enterprises by 2018 will employ some form of deception tools and tactics against attackers. These virtual machine or appliance-based tools basically pose as legitimate members of the network--file servers, routers, switches, database servers, and even Internet of Things devices-- typically near critical assets such as a point-of-sale system or a server as another layer of defense. They mimic the real system but also detect, analyze and disrupt an attack from getting to a real target.

Traditional honeypots long have been the domain of security researchers and analysts--and law enforcement--for studying or entrapping malware or other cyberattack activity. They are labor-intensive, and require expertise. But the more automated threat deception technology isn't your father's honeypot, and it's still not a widely deployed approach. Financial services, healthcare, technology, and government organizations are among the early adopters.

"Traditional honeypots were never designed to be deployed at scale within enterprise IT environments," says Carl Wright, general manager of TrapX, which sells a next-generation honeypot-type solution called DeceptionGrid. "Honeypots really don't do emulations of other than pretty standard PCs, workstations and servers … Deception technology can emulate the IoT or non-standard devices complete with spin data."

Lawrence Pingree, research director/analyst for Gartner's security group, says deception is a key component to detecting attacks. "What we do today is detect and block," he says. "But if you were to start lying to an attacker, for example, you can make them experience pain. You can create a deception zone within the network" so the attacker believes he is interacting with a real node, but instead it's the deceptive device emulating a real one, he says.

"Misdirecting them is a very effective defense," Pingree says. It can divert the attacker from the real target, such as a desktop.

Creating a phony device or system is relatively simple to configure, and threat deception devices also are typically integrated with other security systems; many come with graphical views of the attack across multiple sensors that give a snapshot of what the attacker might be up to, for example.

Ken Baylor, former CSO at Pivotal Software, which runs Attivo Networks' BOTsink, recommends placing the device logically close to the data it's protecting. "Attackers know critical data will be on the same subnets, so placing it in a likely subnet will aid with deception," Baylor says. And give the devices "enticing" names such as HRRecords, or creditcards, so they catch the attacker's eye, he says.

The Attivo systems at Pivotal caught mostly users trying to access devices to which they weren't authorized, malware from user's BYOD devices, unauthorized vulnerability scanners, and other insider threat issues, says Baylor.

Threat deception technology helps minimize the number of false positives, notes Christopher Ensey, chief operating officer at Dunbar Cybersecurity, a managed security services provider that runs TrapX's threat deception appliance in-house as well as offers it as part of its managed service.

Ensey says IDS and event logs have a high rate of false positives, so adding the threat deception layer helps filter out the real threats. "It's almost like an intelligent honeypot," he says. But unlike a honeypot, his TrapX systems are sampling malware and analyzing traffic patterns.

"You can quickly make a judgment. It's not like a false positive from an IDS, with multiple hours of packet analysis," he says.

But there some concerns about the risk of messing with the bad guys. What if they figure out they've hit a decoy? Pingree says these threat deception tools often are set up in a distributed way, and unlike classic honeypots, can respond so they appear real. "You can integrate deceptions at the endpoint … on my computer, it could inject fake credentials or fake drive maps" to throw off the attacker, he says.

In addition to TrapX, which specifically offers endpoint, application and some/partial data deception, there are several other vendors in the threat deception sspace that perform different types of deception, including: Allure Security Technology (data deception); Attivo Networks (endpoint, application and partial data); CyberTrap (endpoint, application and partial data); Cymmetria (endpoint, application and partial data); ForeScout (network ); Guardicore (network, endpoint, application and partial data); Hexis Cyber Solutions (network);  Illusive Networks (endpoint and partial data); LogRhythm (endpoint); Percipient Networks (network); Rapid7 (endpoint); Shape Security (application); Specter (endpoint, application and partial data); and TopSpin Security (endpoint, application and data).

Some of today's firewall, IPS, endpoint, and Web application firewall products, could also deploy deceptive technology, according to Gartner. Juniper Networks, with its Mykonos Software acquisition for Web "deception," could fall into the threat deception technology category, according to Gartner.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LanceCottrell
50%
50%
LanceCottrell,
User Rank: Author
10/2/2015 | 6:27:50 PM
Deceit for breach detection is a good start.
Easy to use honeypots are a good solution for detecting breaches more quickly. That is important because many go undetected for months. One hopes that this will be used in conjunction with tools and architectures that limit damage, contain attacks, and automate recovery (even without detection).
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27706
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBind...
CVE-2021-27707
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIn...
CVE-2021-28098
PUBLISHED: 2021-04-14
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for...
CVE-2021-30493
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wor...
CVE-2021-30494
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wo...