The second of a two-part post on deception.
Distributed deception platforms have grown well beyond basic honeypot trapping techniques and are designed for high-interaction deceptions, early detection, and analysis of attackers' lateral movement. Additionally, deception platforms change the asymmetry of an attack by giving security teams the upper hand when a threat enters their network and forcing the attackers to be right 100% of the time or have their presence revealed, and by providing decoys that obfuscate the attack surface and through valuable threat intelligence and counterintelligence that is required to outmaneuver the advanced human attacker.
Given the increasing number and sophistication of today's breaches, it's not surprising that deception is gaining widespread attention. Neil MacDonald from analyst group Gartner recently recommended it as a 2017 top 10 cybersecurity initiative. Research and Markets has noted the global deception market is expected to grow to $2.12 billion by 2021.
There are a variety of deception solutions available that range from very simple traps to fully automated deception platforms. While individual deceptions offer benefits within their approach, this post focuses on the features common to the distributed deception platforms available on the market that are most actively sought out based on their comprehensive detection and response to advanced threats.
How Deception Works
Fundamentally, deception is designed to detect attackers when they conduct reconnaissance by moving laterally from the initially compromised system, and when they seek to harvest credentials from other systems. The assumption with deception is that no one should be engaging with the deception servers, decoys, lures, or bait because they provide no production capabilities that employees would access. Deception assets aren't advertised to employees, so any reconnaissance activity is a red flag and any engagement should prompt immediate action to prevent attackers from escalating their invasion.
Changing the Asymmetry on Attackers
Deception technology plays an instrumental role in changing the asymmetry of attacks. However, for deception to work, you need authenticity and attractiveness to fool savvy human attackers. Active Directory credential verification authenticates deception credentials as attractive targets. Deception that runs real operating systems and provides customization to match the production environment will appear authentic and trick attackers into revealing their presence. Facades built on emulation can be identified quickly and avoided by attackers. Dynamic behavioral deception techniques improve deception with machine learning that adapts to the behavior of the network, applications, and device profiles and continually refresh to remain attractive.
Additionally, adaptive deception lets organizations reset the deception synthetic network on demand. If you're suspicious of attack activity, resetting the attack surface will avoid attacker fingerprinting that could be used to mark and avoid decoys, create uncertainty, and increase the likelihood of an attacker making a mistake. The increased complexity and cost of restarting will slow an attack and serve as a deterrent, driving the attacker to start over or seek out an easier target.
Early and Accurate Detection
Deception-based detection is designed to detect in-network attackers early, regardless of the attack vector. Unlike other forms of detection, the solution does not require time to learn the network and is effective upon deployment. The network, endpoint, data, application, and Active Directory deceptions work collectively to detect lateral movement, credential theft, man-in-the-middle efforts, and Active Directory attacks.
Today's threat landscape and attack surfaces are ever-changing, and detection methods must adapt to provide early detection of threats at the endpoint, and as they move through the network. Comprehensive deception technology scales to the evolving attack surfaces and detects threats throughout user networks, remote office/branch offices, and data centers, and supports data migration to the cloud as well as specialized networks such point-of-sale systems. Out-of-band deployments provide the best operational efficiency and scalability, and agentless endpoint deception simplifies deployment and manageability. If your organization uses an endpoint detection and response solution, look for vendors with integrations that provide automated deployment and integrated management options.
Attack Analysis, Forensic Reporting, and Integrations
Deception platforms with attack threat analysis will save time in automating the analysis and correlation of indicators of compromised information, which can then be used to accelerate incident response. Threat intelligence and forensic evidence reporting let organizations capture and catalogue all attack activity to support understanding of the attacker's objectives, which can lead to better overall security. Deception solutions capture attacker behavior and through integrations share the full tactics, techniques, and procedures of the engagement with firewalls, security and event management systems, network access control products, and endpoint devices. These integrations also empower automated blocking and isolation of infected endpoints.
Through the use of files that contain fake sensitive data, and beaconing technology that calls back when accessed by attackers, counterintelligence can be gathered on which types of files were stolen and for insight into where the data ends up.
Deception slows the attack as threat actors get lost in the deception environment while thinking they are escalating their attack. The use of adaptive deception creates complexity for the attacker by dynamically changing the perceived attack surface on attackers, increasing their cost, and acting as a deterrent. Notably, this ability to obfuscate the attack surface has proven itself with pen testers, who have also fallen prey to the deception environment and been tracked for days, only to find themselves defeated.
In addition, high-interaction deception for ransomware can slow down an attack by 25x or more. Deception-mapped drives lure attackers and feed them reams of fake data to keep them busy while the infected system is isolated from the network.
Ease of Operations and Risk Insight
Deception makes it easy to deploy solutions for detecting and responding to threats —important in this age of staff shortages. Deception not only strengthens defenses with early and accurate engagement-based detection but also plays a critical role in deterring attacks with visibility tools to assess likely attack paths, time-lapsed maps of attacker movement, and integrations for accelerated incident response.
While cyberattacks grow in number and sophistication, deception-based technology is providing accurate, scalable detection and response to in-network threats. Organizations increasingly are turning to deception to close the detection deficit and to gain an advantage over attackers with the ability to perform counterintelligence, increase their costs, and slow their attacks.
Read part one: Deception: Why It's Not Just Another Honeypot.