informa

Cybersecurity In-Depth

The Edge

A View From Inside a Deception

Pen-testing today's threat deception technology is not for the faint-hearted. Do modern deception tools truly frustrate adversaries, and are they ready for the enterprise SOC?

"I give up." Those are the words you'd like any attacker trying to crack into your systems to say. "I never want to go through this again." Even better.

Penetration tester and security content creator Alissa Knight found herself saying those very words recently when pitting herself against the deception technology by threat detection vendor Illusive. (Also featured: "F*** you, how could this not be working?" "This is a sh** show." And "This just sucks.")

The company encourages pen testers and red teams to take a whack at it; thus far, the Illusive deception tech has stood up against the slings and arrows of over 130 red teams, including Knight's, who was commissioned by Illusive and recorded the test. (She'll be doing a follow-up later this month.)

"I walked into this very arrogant," says Knight, in an interview with Dark Reading. "You know, 'The only reason they haven't ever lost a red team was because it wasn't me.' … I was thinking, 'Oh, this is just lipstick on a pig. This is just, you know, a honeypot with venture capital.' Right? But I was wrong."

Detection and Disruption
Today's deception technologies are more than just gussied-up honeypots. Companies like Attivo Networks, Smokescreen, Acalvio, TrapX, and Illusive use deception tactics that are dynamic, rather than passive. Rather than simply setting a trap and hoping an attacker falls in, they detect threats and actively respond. 

In Illusive's case, when the tool detects certain suspicious activity, like an attempt at lateral movement, for example, the deception engine kicks in, sending the attacker spinning into a world of make-believe.  

Annoys Attackers. A Lot.
"It's like The Matrix," says Knight. "You start to wonder what's real and what's not."

The credentials she'd harvested? Fakes. That domain admin? A domain admin for nothing. That network she'd been pivoting around for hours was completely synthetic, sprinkled with synthetic bread crumbs of fakeness. Decoy after decoy, leading to nowhere.   

"I couldn't trust my own decision-making. I couldn't trust my own tools," says Knight. Even knowing that she was pitted against a threat deception tool didn't help; she says she felt it was "following" her.

"I've done over 100 penetration tests in my 20-year career, and I've always been able to get through. And in this case I just got nowhere, and it was the most frustrating thing."

For the people on the Illusive side, of course, it's a far more relaxing and enjoyable experience.

"I love it," says Illusive founder and CEO Ofer Israeli. "It's always good fun. We're happy to do it. It proves out the value."

Israeli further points out that the illusive technology automatically generates deceptions that are unique to each environment and each machine. This, he says, makes it more difficult for attackers to break through the security technology.

"If an attacker gets Illusive, puts it in his lab, [and] prepares for [an attack], his deceptions are applicable to his lab," says Israeli, "And when he attacks the real environment the next day, those deceptions are going to look totally different.”

Generate Fewer False Positives
While deceiving attackers is fun, Israeli says detecting threats is the important goal.

"What we really need to do for our client is to provide better threat detection. Right? It doesn't matter that we do it through deception or that we could have done it through magic," he says. "And so our discussion really is … can you sleep quietly at night knowing that attackers do gain access to the network? Will you be able to see their activity once they're within? And commonly the answer is, 'No. We don't know for sure,'" and that many tools kick up false positives that further complicate the problem.

Knight points out that deception solutions issue few false positives.

"Tell me when there's an instance where someone will legitimately be using synthetic credentials or interacting with a synthetic host," she says. "I can't imagine not getting out of bed for an alert" from such a technology.

All Grown Up?
Deception products are still not suitable for every company. Israeli concedes that illusive is not for small businesses but aimed at organizations with 500 employees and above.  

The technology isn't, however, just a toy for engineers. It's becoming a more effective tool for the enterprise security operations center. Integrations with other SOC staples like EDR and SIEM, SOAR, and UEBA have become common. Deception companies partner with MSSPs, system integrators, and cloud providers, and offer deceptions for cloud environments.

As Knight puts it, there are many different methods that attackers may use to compromise a target, but there's one thing they all have in common.

"The same thing across all adversaries is pivoting," she says. "That's the one thing that will never change."

Deception, she says, makes pivoting within an environment more challenging.

"I've just never seen anything like this," she says, "to disrupt the adversary's decision-making."