This month is one of the two emerging product groups that we do each year. Emerging groups comprise those that are so new that the genre has yet to be defined solidly. Often, the category does not yet have a Gartner Magic Quadrant so this is cutting edge stuff. Why do this? The reason is you, our readers. These are areas that address cutting edge solutions to bleeding edge problems. There is, usually, a very small group of vendors in the area that we select for your consideration. That certainly is the case this month.
Our topic for this set of emerging products is deception networks. These are network that are intended to lure an attacker away from your organizational jewels and, at the same time, gather a lot of forensics. Deception networks are not, usually, stand-alone networks – those are, more typically, honeynets. These are some form of overlay that allows the attacker to feel as if he is in the real network while moving him into various lures and fake devices (or, under certain circumstances, real devices created as honey pots), all the while gathering detailed forensics.
There was a time when the idea of honeypots and honeynets was to gather research data. The well-known Honeynet project established some very valuable benchmarks for how attackers go after a target. The open source honeyd honeynet brought much of Honeynet Project's techniques to the public. Today, though, honeyd is not as useful as it once was because attackers have developed techniques to identify honeypots.
The usefulness of deception networks has eclipsed the usefulness of honeypots for several reasons. First, they are not stand-alone contrivances even if they do contain the occasional honeypot at the end of a deception trail. Second, the forensics are far beyond what we knew in the days of the original honeyd. Finally, we have advanced analytics and machine learning that can sense what the attacker is doing and create a deception path consisting of such things as honey users, honey tokens and honey applications, all created on the fly to respond to the attacker's actions.
The point is that the attacker has no idea what he is getting into until it's too late and the forensics have been captured. That means that a deception array – an array of stand-alone devices – and a deception network, or deception grid, are two different things. That terminology is not, yet, well-settled, by any means. While it certainly is possible to apply the terminology interchangeably, but for our purposes it will help differentiate the two types of networks.
Deception technology does provide an excellent platform for research, but it's primary purpose is protection. It is rare in our field to see a device or technology that is equally well-suited to research and protection but deception technology certainly fills that bill.
Click on the following headlines to see this month's offering: