Honeypots are deception technology’s earliest ancestor. IT security researchers started using them in the 1990s to deceive malicious actors who had made it onto the network by interacting with a false system. In this way, honeypots could gather intelligence on and assess the behavior of these malicious actors. They were not created for threat detection.
Security tools have progressed a great deal in the years since honeypots were created and deception technology has evolved considerably. The technology has moved beyond honeypots to next-generation distributed deception that surrounds the attacker with realistic, false data, destroying their ability to move laterally. This delivers immense value to organizations globally across a variety of use cases. Here are five benefits deception technology offers:
- Reduce the noise in the SOC.
Security operations center (SOC) teams are under immense pressure, grappling with a double whammy of a severe talent shortage and an exponential increase in alert volume. According to researchers at CriticalStart, 50 percent or more of that rising alert volume are false positives. Essentially, organizations are spending very scarce security resources chasing shadows.
These teams need an approach that can help them separate the wheat from the chaff, a solution that offers only high-fidelity alerts so they can put their energy towards the incidents that really matter. Deception technology accomplishes this by generating deterministic alerts that are the result of malevolent actors behaving badly. Unlike probabilistic big data or AI approaches, which require extensive set-up and constant tuning to produce alerts, deception technology efficiently reports actual incidents in real-time. One wrong move by an attacker instantly reveals their presence with absolute certainty and offers defenders actionable forensic data. Setting off a deception alert requires specific intent and action; these alerts are not the result of an accident, a possibility or just a normal action being misinterpreted. When an alert gets triggered, analysts know it requires immediate attention.
2. Root out malicious insider threats.
Insiders account for more than 60 percent of all incidents, according to a Ponemon Institute report. Not all insiders are malicious, but those who are can operate more quietly and inflict more damage than outsiders because they already have some trusted access and insight into an organization’s valuable assets. However, in many cases, they also must snoop around file systems and acquire credentials and connections to systems and applications to which they do not have authorized access. Just like an external attacker, they must conduct lateral movement. Deception technology helps because it can detect lateral movement of an advanced insider and help root them out. While it’s slightly more complex to fool an insider with authentic-looking deceptions as an outsider, it’s very attainable through some reverse engineering of the insider’s thought process.
3. Protect IT and OT environments.
Operational technology systems have become an increasingly tempting target for adversaries because their specialized protocols often prevent them from getting effectively monitored or patched. Similarly, the ongoing struggle to secure IoT devices has made them a popular target. Deception technology lets organizations create highly realistic and interactive decoys, ones that can mimic real-world IoT and OT environments to fool attackers into engagement.
4. Address compliance requirements.
Organizations must comply with a highly complex set of regulations, whether it’s HIPAA for healthcare organizations, PCI for the payments sector or GDPR for any company doing business in the European Union. Staying compliant requires some hard work, but the right deception technology also can assist organizations with this by pre-emptively identifying and removing unused credentials and connections. Such proactive capabilities can help companies ensure they have a strong foundation for staying ahead of new waves of cyberattacks.
5. Integrate on-demand forensics.
Next-generation deception technology reduces the time required for triage, and it also can make it easier to gather forensic data. The integration of deception with other cybersecurity solutions has become critical to automating that forensic process. For example, pairing deception with a SOAR or SIEM can take the context those solutions gather and reveal the actual trail of breadcrumbs an attacker leaves behind. That data can then get sent to a third-party digital forensics expert to accelerate investigations. While companies will still need outside experts for serious response efforts, all security team members can gain a basic understanding of forensics for their day-to-day investigations.
Next-Gen Deception Arrives
Decades ago, honeypots served an important function. But the times and technology have changed and bad actors often recognize and sidestep honeypots now. They are still useful, but distributed deception technology offers an automated and scalable option for quick and accurate threat detection that can quickly stop attacks.
Wade Lance, field CTO, Illusive Networks