Deception technology, derived from military and intelligence agencies, is a method of planting decoy endpoints to confuse and slow down attackers. Then you can turn the tables in your favor.
Software to bog down hackers in fake endpoints is the latest trendy method of securing your network. Several startups are already involved in this field, known as deception technology, which can be thought of as a new twist on classic honeypots.
But whereas a honeypot is designed to lure a hacker, deception software puts decoy data across your network endpoints, so that if hackers happen to enter they would not know the difference. If accessed, the decoys wake up and inform your IT staff, so you can take countermeasures.
As a hacker, "I have to trust what the Trojan puts on my command-and-control console," Gartner security analyst Lawrence Pingree explained. However, "If we lie to the Trojan and lie therefore to the attacker, then we can exploit the fact that they have this trust. It's not much different than having a mouse trap."
Matt Luna, a sales engineer at illusive networks, advocates for this technology. The concept at his company and others is mostly derived from government intelligence agencies, particularly from Israel, he noted. Illusive is partially funded by Cisco Investments and Citi Ventures; the company will soon make an announcement with Microsoft, representatives said.
Aflac is using a version of deception technology from Attivo. "My threat team was working on sort of blue sky projects to identify controls we could put in place for the more advanced threats that traditional security layers are not likely to catch," explained D.J. Goldsworthy, a security specialist at the insurance company. Aflac has had the technology installed for a year and is pleased with how it works, he said.
"It is alerting us to the presence of people who have been deceived into thinking that these systems are real," which Aflac verified by hiring penetration testers, Goldsworthy noted.
Pingree, Luna, and Goldsworthy all agreed that the most important part of using deception technology is to configure the decoy endpoints to look real. You have to plan the configuration from the perspective of how an attacker would see it, they advised.
"The biggest downside is making sure that the deceptive elements you're using to lure the hackers are believable," Pingree said. "The other downside is essentially once somebody is nabbed, you have to decide whether to block them, quarantine that host, or do the forensics. It's not a magic bullet but it does have very low false positives compared to other solutions."
SEE: Network Security Policy (Tech Pro Research)
Pingree said 2017 will see plenty of instances where security vendors integrate deception technology with their other products and also with their partners' products. He added that such technology should be part of regulatory and compliance mandates, although he has low expectations of that happening until the software becomes mainstream. But the market for such products isn't paltry—it reached about $40 million in sales in 2016 and Gartner is predicting double that for 2017, he said.
Meanwhile, hackers will catch on to deceptions and develop their own strategies around it, Pingree observed. "What's ultimately going to happen is attackers are going to try to share the types of indicators of the things that look like a deception. So if the deceptions aren't crafty enough they're going to share how it looks," he said. "Even rats are smart enough to figure out if another rat went to that trap and died."
Another security company, Imperva, has a different perspective on the future of deception technology. Imperva included its version of deception in a product called CounterBreach last spring, but they plan to deprecate that feature this year. Instead, they'll put it into anti-ransomware software—a field with mixed results—and into the company's main product SecureSphere, product marketing official Morgan Gerhart said.
"We see it largely as a technology and an enabler," Gerhart said. "Our take is your typical enterprise, deploying honeypots and stuff like that to throw off hackers, is somewhat dubious in terms of the core value proposition."
- Google to malware sites: We'll brand you 'deceptive' for a month, no reviews allowed (ZDNet)
- Enterprises using new tech to deceive hackers (ZDNet)
- Digital forensics: The smart person's guide (TechRepublic)
- Interview with a hacker: Kapustkiy from New World Hackers (TechRepublic)
- Interview with a hacker: S1ege from Ghost Squad Hackers (TechRepublic)
- Interview with a hacker: Gh0s7, leader of Shad0wS3c (TechRepublic)