This month, SC Labs takes a look into the deception network tools, one of the emerging product groups that we are looking at this year. This market is still new by comparison, but these companies are making improvements in this space at a rapid pace. Often the emerging product categories don’t have a Magic Quadrant yet, but that doesn’t take anything away from the value that these solutions can provide. Although most tools in this space have only been around a short time, they are well polished and shouldn’t be overlooked.
With honeypots and honeynets dating back to the ‘90s, deception was originally perceived as an effective form of understanding how attacks evolve. Decoys let researchers implement different approaches to data analysis: assessing the tools and malicious software used during attacks. While the information was extremely useful in understanding the typical behaviors of attackers, the next step was using the information to help secure an organization.
While these tools were greatly helped researchers and security technology developers understand what resources an attacker used, what they looked for and how they executed an attack, they didn’t offer a lot of commercial protection. But the potential of this rich information set inspired a crop of new companies that developed software to take honeynets to the next level. They created decoy systems that emulated workstations, servers, networking equipment, printers and other connected technologies.
The tools we looked at all share the same premise: gather forensic details while the attacker is trying to tell the difference between real assets and the impressively real-looking decoys, compelling them to proceed with even more caution. One mistake can reveal their presence and force them to abandon their efforts altogether. Each tool we considered focuses on a few different areas and has a few different tricks up its sleeve, but all do a great job at fulfilling the base premise.
Decoys are often created using machine learning to emulate real assets on the network and blur the lines even more. Deception networks can be scaled from a few hundred decoys to a few thousand, depending on the solution and the network. These are typically virtualized systems and interactions with them are the same as those with real systems. Some tools further the deception by developing files containing information. Most tools in this space use breadcrumbs or “bait” to entice the attacker to interact with the decoys, triggering alerts and capturing forensic data.
Creating the decoys is just the first step in the process. These systems offer a lot of additional tools like endpoint detection and response (EDR) to help you understand what attackers did while inside the network and what lateral movement they used. Some tools even let you completely refresh your deception footprint with a few simple clicks of a mouse. With a plethora of dashboard displays, each tool provides a plethora of information at your fingertips.
While deception technologies started off as a platform for research, their new primary function is adding a much-needed layer of protection. It is rare to see tools mature from one purpose to another in such a short timeframe. Where will it go next? Will we see deception integrate tools that will allow for real-time remediation? Could we see someone leverage machine learning to attack the attacker? Deception networks certainly bear watching as they continue to evolve.
Please check below for all the Emerging Product reviews for August.