Deception Technologyv1.0

Techniques for Detecting Breaches Using Decoys and Lures

Table of Contents

  1. Summary
  2. Market Framework
  3. Maturity of Categories
  4. Considerations for Implementing Deception Technology
  5. Vendor Review
  6. Near Term Outlook
  7. Key Takeaways

1. Summary

Deception technology is designed to detect the presence of adversaries on an enterprise network by using decoy systems as bait and lures. It analyzes the relationship between computer systems, data, and user behaviors by providing a method to detect early and gather analysis of breaches on the enterprise network. Deception platforms can also be useful in identifying credential exposures, deflecting, and remediating attacks for the purpose of reducing attack surfaces.

This technology has few false positives. A natural evolution from honeypots, it follows the same theory of strategically placing decoy systems among similar systems—for example, domain controllers (DCs), file servers, simple file transfer protocol (SFTP) servers, or any other likely breach target—and generating an alert on attempted connections to them. While the decoys, which are created as virtual machines (VMs) or virtual IP addresses on VLANs, may appear to belong in the enterprise, they lack legitimate workloads. Their sole purpose is to detect threats—not service users—and therefore, any connection made to them should be deemed suspicious and viewed as a possible attack.

Deception technology is broadly agentless-based, which enables its deployment without the additional overhead of endpoint management. The caveat is that the technology utilizes breadcrumbs and lures that need to be distributed on endpoints. These lures are invisible to end-users but visible to attackers and used to convince them to connect to decoy machines. These breadcrumbs need only be placed on endpoints from time to time. This can be done using systems center configuration manager (SCCM), Windows management instrumentation (WMI), push scripts, or are generally supported by any endpoint management technology. They integrate with security information and event management (SIEMs) and have APIs. Part of their core functionality is to shorten the time to detection and assist with forensic investigations.

There are three misconceptions about this technology:

    1. It creates a messy network of decoys that add overhead.
    2. It makes troubleshooting production systems challenging.
    3. Deploying decoy systems that can be compromised may allow attackers to gain a foothold.

These perceptions have been addressed as outbound connections from decoys are blocked while whitelists enable the decoys to ignore connections from things like scanners or monitoring. Obviously, whitelisting should be done with care and any system allowed to connect should be secure.

At first glance, this technology may appear to be a “luxury” item fraught with complexity and reserved for mature security programs. However, thanks to its ease of deployment, low overhead, management simplicity, scalability, and ability to provide operators with insights that have an extremely low number of false positives, it is a technology that almost any enterprise—small, medium, or large—could employ to an enormous advantage.

Key benefits of deception technology:

    • speeds up detection by correlating traffic with threat indicators;
    • provides orchestration and remediation to deliver value quickly;
    • establishes another layer of detection that shortens an attacker’s dwell time;
    • improves awareness by creating a real-time inventory of enterprise networks, systems, and software;
    • includes a communication medium that IT and security teams may otherwise lack.