This is a new category this year and it may, over time, prove to one of our most interesting. The idea of deception networks began sometime ago with the Honeynet project. The idea then was that with a honey pot – or honeynet – you could gather a lot of information about how the adversary attacked by monitoring his actions and analyzing them after the fact.
Today's deception networks are a lot more than really smart honeynets. They are crafted to entice a criminal to perform his actions on a network that looks – and sometimes is – the real enterprise. Deception vendors have several ways of accomplishing this. In some cases, the deception network is an overlay on the real enterprise. This lets the adversary interact with the network in a real way but without endangering the network, network devices, applications or data. Interspersed with the real targets are deception targets which may include applications, devices such as servers and data. The adversary cannot discern the real assets from the deception targets.
When the deception network is completely separate from the real network, it behaves more like a honeynet. In this case the adversary is lured to a network that looks like part of the real network but isn't. In either case the deception network is heavily instrumented and gathers logging data in sufficient detail to useful forensically. Those data are protected from compromise to make them forensically useful.
The paradigm shift from honeynets as research tools to deception networks as part of the security stack has not taken place overnight. Until fairly recently, deception networks and honeynets were considered little more than research toys, to be deployed in universities and as learning/research tools. Today, we see these networks as viable security tools as well as research tools. Here in the labs we have a home-brew deception network that we use for intelligence gathering. It is not configured to provide protection. Rather it is a rather old-school honeynet with one exception: The level of instrumentation and the types of lures are more typical of today's deception nets.
We have two deception networks this year in our innovator's group. They do their tasks somewhat differently but they certainly are at the top of the deception game.