Deception technology is far more sophisticated than the traditional honeypot. Today’s deceptions look and feel like the real deal, but will attackers take the bait?

If you are a Star Trek: The Next Generation aficionado, you might recall the episode “Ship in a Bottle” where Sherlock Holmes’ archenemy Prof. James Moriarty took control of the Enterprise from the holodeck and threatened to destroy the ship unless his demands were met. The threat was averted when the holodeck program was rewritten to create a false reality within live memory. The Moriarty program was deceived and redirected to the false but realistic pseudo reality and the Enterprise was saved.

Star Trek was ahead of its time by imagining what effectively was a malicious insider threat to the equivalent of a corporate network and using deception technology to redirect the malware. Like so many other technologies — the communicator and the medical tricorder for example — Star Trek’s deception technology of 1993 is reality today.

In fact, such technology is one of the latest weapons being added into the cybersecurity arsenal in which automated decoys are used to lure and trap attackers before they penetrate the network. Deception per se is hardly new — honeypots have long been used as basic deception — and in and of itself, deception technology is not a panacea, security experts stress. However, when used correctly and in tandem with other lines of defense, it can be very effective.

“For the first time since I’ve been in cybersecurity we have tools that tip the weight in favor of the defenders,” observes John Strand, owner of Black Hills Information Security in Spearfish, SD, a DARPA-funded open source security consultancy. Unlike intrusion detection tools, which create an alert once an attacker is already inside a network, deception technology prompts detection earlier in the attack lifecycle, he says.

Traditional cybersecurity tools do not contain the element of surprise, observers note. They can be easily purchased by cyber attackers in Russia, Eastern Europe, and China, which can launch attacks that bypass static technologies, says Strand.

“Every security technology that exists today — I don’t care who the vendor is — can be bypassed. We need to evolve beyond static analysis,’’ he says. “Regardless of what [vendors] offer, it’s pretty much the same [technology] across the board, and when you throw cyber deception into the mix, it greatly increases the opportunity for the attackers to make mistakes. We’re trying to increase the amount of time it takes an attacker to break into a network.”

Deception technology provides a level of uncertainly about a trap until they step into it, “and that gives us little more of advantage,” Strand adds.

“Cyber deception is blowing [security defense] wide open,’’ he says. “It’s dynamic and changing and not same old song and dance we’ve been doing.”

While the deception technology market pales by comparison to some other security product offerings, it is projected to reach $1.33 billion by 2020, according to a 2016 report by research firm Technavio. By comparison, the security information and event management (SIEM) market already was at $2 billion a year ago, according to industry statistics.

According to the Worldwide Semiannual Security Spending Guide from IDC, the 2020 spending on deception technology will be roughly 1 percent of the $102 billion that IDC estimates will be spent on security-related hardware, software, and services.

Enterprises need to keep evolving their defensive strategies. The average cost of a data breach globally is $3.86 million, a 6.4 percent increase from 2017, according to the 2018 Ponemon Institute report.

The good, the bad, and the ugly

Deception technology can be a key part of a holistic cybersecurity approach that includes good firewalls, antivirus software and patch management, agrees Elvis Chan, supervisory special agent in the San Francisco division of the FBI, who manages a squad responsible
for investigating national security cyber matters.

Like many technologies, you need to consider the good, the bad and the ugly. In the case of deception technology, when it works correctly, it “mimics a server that may have some juicy-looking information,” Chan says. “If you’re able to monitor a bad actor getting on your network, you can see tools they’re dropping, ports they’re going to — the treasure trove of activity. That’s the good.”

The bad is, “If you don’t do a good job making your honeynet part of your network, the bad guys know their cover is blown and will bail out of there,” Chan notes.

Gorka Sadowski
Senior Director, Gartner

Then there is the ugly. This would be the scenario where, if a cyber attacker realizes someone is trying to fool them, there could be retribution, Chan says. “If you’re only aware of them being in the honeynet, they may be in another portion of your network and burn that down.”

Sweetening the honeypots

The history of cybersecurity boils down to enterprises first ignoring it, then trying to prevent attacks, then giving up, then trying to protect systems, observes Gorka Sadowski, a senior director and analyst at Gartner. “Now, it’s about detecting [an attack] as efficiently and quickly as possible by shortening the time between something happening and reacting to it,” he says.

Deception tools traditionally have been highly distributed with an emphasis on creating and managing the lures and fakes deployed all over an organization, he says. And honeypots have been expensive and very complex to use, he adds.

“The goal for honeypots was to trap the attackers for analysis,’’ Sadowski says. “You wanted to bring them into a sandbox to observe the enemy and that’s why those systems were complex.”

Doug Saylors, director
Information Services Group

In general, deception technologies have a place in the cyber-protection scheme alongside a defense-in-depth approach, says Doug Saylors, a Dallas-area director at the global consultancy Information Services Group (ISG). These technologies offer an additional layer of protection and in some cases can be used to fool hackers into attacking environments specifically built to track and study attack patterns.

Although they have been useful in identifying attackers, honeypots are cumbersome to manage, Saylors agrees, “effective use in large environments requires extensive automation capabilities.”

Fast forward to today and deception tools have evolved into high-fidelity sensors with machine learning approaches that provide cost-effective believability, says Sadowski.

For example, a machine learning deception system will go into an active directory and analyze the naming conventions an organization has adopted. Then it will generate 100,000 fake users that will all abide by whatever policy has been put in place. What is interesting, he notes, is that the system learns the information on its own.

Machine learning is one of the new pillars of deception technology, and whereas in the past, this work had to be done by hand, today deception systems are cheaper because they are machine-learning driven, Sadowski says.

Newer deception technology products that are targeted at preventing specific type of attacks, such as from ransomware and zero-day [attacks], are becoming more commonplace and are proving effective in identifying and stopping attacks, says Saylors.

Like Sadowski, Saylors says the introduction of advanced machine learning into these products continues to increase their viability in the cyber tool portfolio, along with tools that use cloaking technologies.

Where deception vendors are pushing boundaries is on the feedback loop, Sadowski believes. Deception tools observe the behavior of an attacker to learn, for example, if they are going after a specific person, like the company’s vice president or CIO or someone in engineering — or perhaps a random employee.

“Then what’s interesting is using lures and fakes targeted at what the attacker is looking for. Now you’re enticing the attacker by putting bread crumbs in front of him or her that you know they’re looking for,” he adds.

Humans are sometimes involved to understand how the attackers work, but for the most part the systems are automated; it is the algorithms that understand indicators of compromise (IoC) and tactics, techniques and procedures (TTPs), he says.

“Yesterday’s honeypot was not for the faint of heart and today’s can be operated by teams that are not experts in field, and that’s contributed to deception vendors having an opportunity to go back to pitching this type of solution today,” Sadowski says

It is the reduction in complexity and cost that is driving renewed interest in deception systems, he says.

The problem, Sadowski believes, is that these systems could end up being “priority number four when organizations only have budget for the first three. For me to be bullish, I need a clear vision that it will become a big domain in cybersecurity and I’m not convinced about that, because we’ve already gone through cycles of very promising technologies that fizzled.”

That said, for the foreseeable future, “deception technologies are a very valuable tool in an organization’s arsenal to combat threat detection and response,” he opines.

A work in progress

The FBI’s Chan believes deception technology is “sound,” but “it needs to be seasoned.” Deception systems will only work if the honeynets look authentic. “We also call it ‘pocket litter,’” he notes, like the odds and ends people carry around with them. “You want your honeynet to have good-looking pocket litter and all the directories have names that sound authentic. There’s a little bit of an art to that.”

John Strand, owner
Black Hills
Information Security

For example, if you are developing a honeynet that is supposed to look like a research and development server for a specific project, it should have “the topics and directories and documentation that would make sense, and a locked door people will try to bang against,’’ Chan says. “You have to make that door leading to nowhere look enticing. That’s where you’re going to learn … the trade craft of a bad actor, and you can hone your system to harden it.”

Strand believes that cyber deception technology is only just beginning to make waves. He likens a cyberattack to a room that an attacker is able to enter and turn on a light switch and move around with full visibility. “Now, imagine that room is dark and has all kinds of obstacles … so they bang their shins on a table and that’s what we’re trying to do. And cyber deception gives us that ability.”

Government activity

The reality is, deception works, and it is working right now at the Sandia National Laboratories in Albuquerque, NM. Sandia developed the High-Fidelity Adaptive Deception & Emulation System (HADES) platform as a method for defending against adversaries in real time. The platform is comprised of software-defined networks (SDN), cloud, dynamic deception and agentless virtual machine introspection (VMI) technologies.

Vince Urias
Computer Science Researcher
Sandia National Labs

The idea is to create deception and directly interact with the adversary. At the onset of an attack, the platform “live-migrates the attacker into a realistic deception environment that is a high fidelity, functioning copy of the breached environment,” says Vince Urias, a computer science researcher at Sandia.

The platform is designed to perform multiple steps: It isolates the deception environment from the host system to protect data, offers the defender an undetectable but omniscient view of the attacker’s movements, enables instantaneous adjustment to the adversary’s changing attack vectors by modifying the deception environment; and provides comprehensive analytics about the attack for both real-time and post-event analysis, he says.

Unlike static honeypot-based approaches that trigger when a bad actor touches a honey token or cue, Urias maintains that HADES has the ability to “obscure the real target, devalue information gathering and cause the adversary to waste time and resources.” It also forces the adversary to reveal advanced capabilities, expose their intent and limit the scope and duration of attacks, he says.

Echoing Chan, Urias says that honeypots and other decoy environments traditionally have not provided a sufficiently realistic environment in which the adversary will perform actions that display his or her capabilities.

“Thus, they often result in wasting some of the attacker’s resources but do not keep the adversary around long enough for the defender to study him and gather actionable intelligence,’’ he says. “And while these methods can be effective at protecting data if a breach is detected, they do not provide valuable intelligence about an adversary.”

They also alert the adversary that they have been detected, allowing them to learn the defender’s strengths, refine their TTPs and launch new, potentially more successful future operations, Urias says.

More recently, crude deception-based approaches have been deployed, or proposed in academic literature, Urias notes, but he claims that these approaches have significant limitations that inhibit their effectiveness as a comprehensive defense strategy. This is because most fail to leverage virtualization or SDN to assist in the development and technological implementation of high-fidelity environments, he says.

They also lack centralized management and deployment and do not provide rapid or automated response, Urias adds. “The lack of complexity in networking, services and hosts of current deception networks do not leverage resources for a sophisticated emulation for the adversary to interact with.”

Chan declined to comment on the ability of HADES to protect a network from rogue activity by a nation state but says “all national labs are all very aware they’re targets of nation states and we work very closely with all” of them.

Looking ahead

While deception tools are critical to any security environment, the labor associated with the management of these platforms is unwieldy for large organizations, notes Saylors. As the volume and sophistication of attacks increases, it is very difficult for enterprises to keep up with managing the rulesets and configurations required to keep intruders out, he says. As a result, enterprises are significantly increasing staff associated with the maintenance of their existing toolsets.

However, automation is slowly making headway into the security space, he says, although he thinks it will be another two to three years before it makes a significant dent.

“The use of next-gen appliances is also helping reduce overhead, as are the use of software-defined networks and micro-segmentation technologies in the compute and network layers,’’ says Saylors. “The main issue we see today is lack of discipline in hygiene and configuration management, leading to the introduction or re-introduction of vulnerabilities hackers are able to exploit. A strong focus in this area would significantly reduce attacks.”

One of the best ways organizations can keep attackers at bay is by adhering to the National Institute of Standards and Technology (NIST) cybersecurity framework, Chan believes. “The reason I’m not talking about tools is you can use different tools or hardware to get to the same aim.” The framework remains the same, he says, and is the single most important thing organizations can implement.

“The one [other] thing that’s not even a tool or hardware that drive me crazy and I wish more companies did, is table-top exercises to flex their response plans and then just ongoing regular cybersecurity training for their employees,” Chan says. “When I see intrusions happen, it’s 90 percent [due to] people clicking on things they shouldn’t or using the same passwords and not doing two-factor authentication.”

For Saylors, it is about ensuring configurations are locked down, using strong encryption for data at rest and data in motion, and maintaining a skilled workforce that has the proper amount of time to focus on security presentation and remediation activities.

Chan says there are no enterprise-level tools that are new and different. “I see what is working defensively: segmented networks, firewalls,’’ he says. “The secret sauce is defense in-depth.”

Yet, there is no doubt in his mind that deception technologies are a part of the recipe when organizations are setting up or honing their cyber strategies.

“However, if we’re going to analogize this to an automobile, I would say firewalls are like seatbelts and antivirus is preventative maintenance,’’ Chan says.

“Where deception technology fits in is it’s the laser guide that lets you know when you’re too close to the car in front of you,” he says. “It’s a nice-to-have option if you can afford it … and if you can figure out patch management, good firewalls, good AV, good access control, segmentation of your network — those are all the basics.”