Deception: Honey vs. Real Environments A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.
Deception technology is offering defenders the ability to finally gain a rare advantage over adversaries by doing something that other forms of defense can't: provide early and accurate detection by planting a minefield of attractive decoys to trip up attackers. We've seen examples of this type of defense used by the FBI and other top law enforcement to catch criminals such as child pornographers and, more recently, egregious financial theft.
Decoys are designed to catch early-stage activity as the adversary looks to understand the network and how to find its target. I call this early stage of an attack "casing the joint," and my research has shown that interrupting this stage — ultimately, reducing the dwell time of a potential attack — is crucial to protecting data. Defenders can watch what is happening, learn more about the nature of the attack, and better understand the way that the attacker is moving through a network or even a cloud-based file share.
More organizations are starting to look at deception as a way to plug the gaps of existing deployed security solutions such as data loss prevention, encryption, access management, and user behavior analytics. But how can security teams determine which form of deception is the right one for their organizations? It's up to each organization to determine which deception approach makes the most sense for them.
Defining "Honey" Environments
Currently, most offerings in the deception market are focused on the buildout of complex honey environments, designed to lure attackers into fake systems to distract and track their behaviors.
A honeypot is a network-adjacent system set up to lure adversaries and to detect, deflect, or study hacking attempts. There are various types of honeypots, classified by the level of interaction they conduct with an intruder. When designed properly, honeypots are meant to prevent adversaries from accessing protected areas of an organization's operational network. A properly configured honeypot should have many of the same components of an organization's production system, especially data. Their most significant value is the information they can obtain on the behavior of the adversary and what the intent of the attacker is. Data that enters and leaves a honeypot allows security staff to gather information, such as the attacker's keystrokes or their attempted lateral moves throughout the fake honeypot system.
A honeynet is a network of multiple honeypots designed to simulate a real network. Essentially, they are large-scale network decoys that mimic a collection of typical servers that might be found on a business network. According to the SANS 2017 report, "The State of Honeypots: Understanding the Use of Honey Technologies Today," "Honeynets connect and interact in the same way a real network would — none of the connections between systems are emulated." On a scale of 1 to10, with 10 being the most effective, users of honeypots surveyed in this SANS report rated honeynets at 7.5 in terms of overall effectiveness. Like honeypots, the biggest value of a honeynet deployment is the intelligence security teams can gather on attacker behavior.
When properly built and maintained, honey environments can provide valuable information about how the attacker moves around in a network in search of data to exfiltrate. But only if the attacker enters the honeynet.
There are some significant challenges and shortcomings that make honey environments difficult to deploy, manage, and maintain. Before investing, you need to conduct a serious costs-benefit analysis.
First, while honey environments are built and maintained outside of the enterprise's operational environment, honeynets still require hackers to gain initial entry through the operational environment. Organizations must then hope that the breadcrumbs leading to the honey environment are convincing enough to actually lure the hacker. Also, once a hacker leaves the fake environment, there is no way of knowing if he or she re-enters the operational environment to continue an attack or what data they may have exfiltrated prior to tripping over a breadcrumb.
Second, the cost and resources required to create these environments can put a strain on security teams that are already overwhelmed by the number of security alerts and investigations they do on a daily basis. Organizations must establish an environment that mimics the operational environment in order to have any chance that attackers will believe it is real. Then, that environment must be maintained to keep it realistic. This level of investment and upkeep to make a honeynet work is no small commitment.
Third, there are limits to the usefulness of the data that honey environments can provide on adversaries. It's true that they are a good method for learning more about how attackers move throughout a system in search of data to steal, but they reveal little about the actual hacker and what happens to data once it has been stolen.
Finally, adversaries have become increasingly sophisticated in identifying "tells" in honey environments. Hackers who present any serious threat will often target specific IP addresses that they know are valid machines. If a hacker wants to identify any honeypots sitting on a corporate network (a process known as "fingerprinting"), it is easy to do because the machine will either have no outbound traffic, or the deceptive traffic will be contrived and not follow a normal usage pattern. For a honeynet to have any value, an intruder shouldn't be able to detect that he or she is on a fake system. The goal is to give the adversary a false sense of reality and a false sense of security that his or her actions are not being noticed or monitored.
Deception in the Real World
Deploying deception technology within operational and cloud environments allows security teams to detect and deceive attackers in the direct path to sensitive data instead of hoping they are lured away. Deployment of believable decoy documents inside operational networks provides all of the same benefits of honeypots and honeynets but negates the need to create and maintain fake environments.
Deception that does not depend on honey environments can also be used to proactively fight back against hackers and leakers. Attackers rely on various tools for anonymity, and these tools often contribute to the success of bold attacks. Deception techniques not limited by fake environments can be used to pierce these tools and reveal attackers, often without their knowledge. This provides a unique advantage for organizations and law enforcement to hold hackers and leakers accountable.
Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio