What is Deception Technology for Cybersecurity?
Deception technology is a set of cybersecurity techniques and practices that lure cybercriminals who have managed to infiltrate your network into accessing harmless assets. Security teams create one or more decoys -- such as applications, databases, active directories, and breadcrumbs such as browser cookies -- that divert attackers from a company’s actual assets, and create high-fidelity alerts that decrease dwell time and speed incident response.
The unfortunate reality is that no matter how good your perimeter defenses are, there is always a chance that a cybercriminal can gain access to your network. By employing deception technology, you can lure them away from real assets while they waste their time exploring useless decoys. Further, since they have revealed their presence, you get an early-warning indicator of their behavior and can gain useful intelligence on them.
Deception -- and the broader category of ‘active defense’ -- has been used in military applications throughout history to thwart opponents. The Greeks used it to breach the walls of Troy with their horse “gift” in the climactic battle of the Trojan War. Armies have frequently used deception and subterfuge to manipulate the enemy into believing they were planning something that they were not. The first tool of deception in information security was the honeypot, appearing as early as the 1960s. Honeypots, a concept still in use today, are unprotected, but monitored, assets that appear very attractive to an attacker who has already breached the network. Once the honeypot is accessed, security operations teams can take action to gain intelligence on the attacker or shut the attack down.
The Challenge with Legacy Detection Technologies
Cyber deception methods all operate on the assumption that an attacker has already managed to circumvent your perimeter defenses. They are already into your network, endpoints, operating systems, and applications. Other threat detection methods are designed to alert security teams of attacks in these use cases, but have proven to be lacking against today’s often sophisticated attacks.
Legacy detection tools, such as firewalls, endpoint detection, et al., are each designed for a specific type of security (network, application, endpoint, IoT devices, etc.), and often work in isolation from each other. This results in several problems: the fidelity of alerts from these tools is low, as they can only see their specific slice of the security infrastructure without context; and investigation time is increased, as security analysts must pivot between a range of tools to uncover the attack sequence and scope of damage. In a recent ESG Research report respondents indicated that traditional application security controls are not sufficient to solve today’s problems. One big problem is false positives with respondents reporting an average of 53 alerts per day from their web application and API security tools, with 45% of these ultimately determined to be false positives. Security teams are notoriously stretched thin, and suffer from alert fatigue due to the high rate of false positives.
Additionally, many existing detection technologies are much better against malware than they are against human-driven attacks, waged both by insider threats and external threat actors. Advanced adversaries are much more sophisticated than petty hackers, and are adept at compromising users and emulating their behaviors to stay undetected -- even when companies use behavioral analytics. With deception platforms, these adversaries reveal themselves as soon as they interact with a decoy.
Legacy deception technologies, such as honeypots and associated traps (honey users, honey credentials, etc.), have their own pitfalls. They are essentially static techniques that can fall out of date quickly and cannot keep up with changing attacker tactics, thus making it easier for attackers to evade detection and dwell within the network for months or even years. Honeypots and honeynets that are accessible to the internet can result in many false positives if the technology is not advanced enough to differentiate between broad scanning activities and targeted reconnaissance.
Deception Technology Changes the Game
By contrast, modern deception technology is an active defense technique designed to make your network a hostile environment for attackers, resulting in more expense and time investment on their part to remain undetected. Think of it as a next-generation honeypot technique. First, similar to honeypots, it populates your network with decoys: fake endpoints, files, services, databases, users, computers, and other resources that look like production assets, but that no legitimate user should ever access. Then it leverages deception-based alerts to detect malicious activity, generate threat intelligence, stop lateral movement across the network, and orchestrate threat response and containment – all without human supervision.
Deception platforms provide a proactive, low false-positive detection model. It uses deep analytics to target the human intent behind an attack, staying agile, adapting to new threats even before they occur and delivering orchestration and automation of response actions. This model works against a range of attack vectors and different types of adversaries, from ransomware actors to advanced persistent threats (APTs).
Once you have identified an attacker on your network. You can manipulate, in real-time, the deceptive environment and the deception cover story based on your knowledge of the attack. Here are some examples of what is possible:
- Manipulate the attacker by generating or removing deceptive assets.
- Generate network traffic, alerts, or error messages to encourage specific attacker behavior.
- Implement session hijacking tools to cloud or distort attacker perceptions of the environment.
- Create situations that force an attacker to disclose information about who they are and where they come from to circumvent perceived obstacles.
Not only are these techniques misdirecting and ultimately derailing cyber attackers, they are changing the rules of engagement between attackers and defenders and providing a rich source of intelligence on the intruder’s targets, methods and motivation. “Now that most organizations are continuously under attack from human and automated attackers, deception provides a way for organizations to mislead and confuse their adversary, and stay ahead of cyber incidents, instead of feeling like they’re always one step behind”.
Deception technology can be used to detect threats across the kill chain, from reconnaissance through data theft. Use cases can be grouped into three broad categories.
Perimeter Deception Defense: It’s usually not feasible to monitor all incoming traffic for potential threats. Setting up deceptive public-facing assets can drastically simplify this problem and give you actionable telemetry on who is targeting you.
Network Deception Defense: Placing decoys in various locations an attacker might peruse to identify targets, but that legitimate users should never access, can identify an attack in progress.
Endpoint Deception Defense: Endpoint decoys look to an attacker like an asset that has legitimate and valuable content and is a candidate for exfiltration. Monitoring these assets can detect not just behavior that would be suspicious on the network, but also behavior that would be the norm on the network but has no legitimate place on a particular endpoint at a particular time.
Technologies to Take Deception Technology to the Next Level
No one security technique or policy is 100% effective to stop attackers from accessing your network. So it makes sense to deploy multiple technologies. But for maximum protection they should work together, rather than in silos, and share information. The idea is to minimize your attack surface to the greatest extent possible, and to speed your ability to remediate an incident.
Integration with a Zero-Trust Architecture
Active Defense with MITRE Engage Framework
MITRE Engage is a trusted industry framework for discussing and planning adversary engagement, deception, and denial activities based on adversary behavior observed in the real world. Their matrix serves as an objective and leading-edge guide to how your organization can best deploy deception and adversary engagement tactics as part of your overall zero trust security strategy.
“Denial, deception, and adversary engagement technologies do not replace your current SOC operations. These technologies work alongside your current defenses. You can think of these technologies as a dam. You build walls, with your current defensive strategies, to stop what you can and incorporate deception technologies to channel and move adversaries in ways that benefit you, the defender.”
Zscaler is proud to partner with MITRE on their Engage framework. To learn more, visit https://engage.mitre.org/.
To learn more about Zscaler Deception, visit https://www.zscaler.com/products/deception-technology.