In cybersecurity there is an adage that the adversaries only need to be right once to succeed, while the good guys have to be right every single time or face severe consequences. Therefore, security teams need to stay vigilant all the time. Daniel Bardsley explores how deception technologies can give the defenders a unique advantage against attackers.
Deception technology, according to Ori Bach of the Californian-headquartered cybersecurity company TrapX, is nothing less than a paradigm changer.
It used to be the case, he says, that the “good guys needed to win every time and the bad guys only needed to win one time”. Now, though, things are turned on their head.
“It’s not about reducing the attack surface; it’s about increasing attack surfaces, creating more fake attacks,” he says.
“With deception, the bad guys constantly have to be careful not to touch one of our traps. The moment they hit one of our traps, it’s over for them. We sit back and watch them fail.”
Drawing parallels with military deception, which has been a key element of warfare down the millennia, deception involves luring in cyber-attackers by offering up enticing targets that are, actually, part of a decoy system.
Deception technology can be relatively simple, such as encouraging attackers to go after false leads by deploying text that is attractive to hackers in the network.
Or it may involve having a shadow network that has many parallels with the real thing, which is always changing.
The use of deception technology is not just an acknowledgement that a perfect firewall, able to keep all attackers out, is an unattainable goal. It also reflects the fact that benefits can accrue from having attackers inside a system revealing how they operate.
When deception is being employed, it can sometimes be better to let an attack, once detected, continue for a while rather than shutting it down immediately. The details of what takes place are recorded, and the greater understanding of how attackers operate, and the way the attack highlights software vulnerabilities – which attackers may have had to pay to acquire – can make it is easier to prevent a recurrence.
It also serves to waste attackers’ time and, because time is money, this represents an economic cost. Using it could mean that the nefarious activities of attackers are no longer worth their while.
Deception technology, suggests Ray Kafity, vice president, Middle East, Turkey and Africa for Attivo Networks, overcomes a number of drawbacks of prevention-only defence.
“While there are several detection solutions available, the challenge with many of them is that they are reliant on signatures, pattern matching or behavioural anomaly detection and, as such, are often too complex or resource-intensive for organisations to operate,” he says.
“The learning curve and tuning process associated with these solutions will also inherently produce false positive noise, resulting in alert fatigue and notifications being ignored, all too often defeating their purpose or resulting in them becoming silenced or shelfware.”
By contrast, deception typically involves early detection of in-network threats and this cuts the dwell time (the period during which the attacker is inside the system undetected), since engaging with decoys or other facets of the defence triggers an alert.
There is much to suggest that deception technology is becoming more widely adopted. Indeed, research has suggested that the global market for it will exceed $1 billion in 2021.
Just a few years TrapX, a deception technology specialist that employs about 80 people, around half of whom build code, was having to convince customers of its relevance in improving operational security. Today, the company is seeing deception being optimised in sectors ranging from manufacturing to healthcare. It is also, says Bach, being used more often within the cloud.
“Clouds are a good [space] for deception – they’re large and distributed networks where deception plays well,” he says.
Deception also ties in well with the use of the Internet of Things, he says, while a further trend Bach has observed is the closer integration between different defensive platforms.
“As [deception] is becoming more common, it’s become more integrated into the broader security ecosystem,” he says.
Taking a similar view about the growth of deception technology, Professor Kevin Curran, professor of cybersecurity at Ulster University, says it “will only become more widespread”.
“Technology generally gets easier and applied into more products, then the suppliers of firewalls will start to use something like this,” he says.
“I can only see it increasing. It’s a simple technique to use, yet it’s very effective.”
The growth in the deployment of deception technology saw Attivo Networks grow 300 percent last year, with rapid growth in 2018 as well, according to Kafity.
“Deception technology is already gaining importance as cyber-attacks become more sophisticated and attackers target non-traditional attack surfaces,” he said.
“Overall, deception is one of the most efficient and effective detection solutions, and the next leap forward that organisations are taking to close the detection gap.”
Deception technology evolved from the use of “honeypots”, which are pieces of data typically held outside the network. While honeypots have proved useful, they had their disadvantages, explains Kafity.
“While the data collected was interesting, creating and managing these emulated decoys was highly time- and resource-intensive, which is why it was never widely adopted by enterprises,” he says.
“Today, deception technology has evolved from limited, static capabilities to adaptive, machine learning deception that is designed for ease of use and scalability.”
Honeypots tended to be something that is primarily used by large enterprises, typically because of the resources required.
However, the use of automation means that deception is now accessible to much smaller users, according to Bach.
“We have fully automated the solution, so the customer can use it at the click of a button,” he says.
“Some of these companies with less than 100 employees can use the technology.
“By integrating deception into their existing anti-virus endpoint, they’re able to pick up the bad guys.”
Like Bach, Kafity sees deception as being a realistic solution for all types of companies, describing commercially available options as “simple” and suitable even for organisations with “the most limited resources”.
“Additionally, for those who do not want to manage security services in-house, they have the option to purchase deception services through a managed service provider,” he says.
“It has never been easier or more practical to achieve accurate and early threat detection for organisations of all sizes.”
Experts have highlighted a number of characteristics required if deception is to be successful.
Key among them is that the decoy should seem authentic in order to attract attackers. Other important attributes include the absence of false positives, which can be an issue with traditional cybersecurity technology; and ensuring that the system is capable of dealing with an evolving attack surface. This last point means that cybersecurity systems should use multiple types of deception to deal with various methods of attack.
Effective deception systems are able to deal with everything from man-in-the-middle attacks, in which an attacker compromises the communication between two parties, through to credential theft, and attacks that involve lateral movement, a reference to the way the attackers move through the target system.
As Kafity puts it, deception can detect and respond to in-network threats “regardless of the attack vector or attack surface”. He says a “distributed deception platform” offered by companies such as his offers early detection, enhanced threat visibility and accelerated response.
So, organisations large or small can do much worse than look to deception as they bid to secure their networks and outfox the fraudsters.