Deception Tech: High-Fidelity Alerts If Hackers Take BaitDeception Can Add Value, But Only If Security Basics Are Covered
How do you catch hackers in the act? Set up a fake network and see what flies land on it. Numerous cybersecurity startups are taking the honeypot concept to a more elaborate scale with a new name: deception technology. But are the solutions as effective as promised?
See Also: 2020 User Risk Report
Deception technologies can provide very high-fidelity alerts in that there are no false positives: Someone lurking in a bogus network is surely up to no good. The clues around the hackers' methods and activities can buy defenders more time to make sure legitimate assets are protected.
But deception tech doesn't detect if hackers are already in the real network, some analysts say. And making use of the information a deception product provides requires a team capable of interpreting it and taking action, they contend. Otherwise, a deception system is just another tool to monitor in an already crowded, alert-heavy environment, they say.
"The important thing to understand is that deception technology is really good at telling you something bad is going on, and that's it," says Josh Zelonis, a senior analyst at Forrester.
Among the many vendors offering deception technology are Illusive Networks, TrapX, Attivo Networks, Acalvio, Cymmetria, Topspin, Shape Security, Smokescreen, Allure Security, Guardicore and Rapid7.
Deception systems have become much more elaborate than the honeypots of the past. The bogus networks are closely modeled after a company's real network in order to pull off the ruse.
A single management console may be used to manage several types of deceptions, from low-interaction to high-interaction ones with different levels of sophistication, says Rik Turner, a principal analyst based at Ovum.
"The forensic use of high-interaction deceptions is much greater," Turner says. "On the low-interaction end, you know someone tried to break into the bank. On the high-interaction end, you not only know that someone tried to break in, but you've actually got a photograph of them and you've probably managed to do some facial recognition and got a reasonable idea what their name is. It's a much greater level of forensic use."
Still, many of the deception technology systems do not instrument the operating system or applications they are pretending to be, Zelonis claims. There's an alert when an attacker touches a system, but no forensic data or threat intelligence of what the hacker actually did, writes Zelonis in a July 2017 Forrester report titled "Honeypots 2.0: Deception Technology Lures Cybercriminals Into A Trap."
"This is a massive oversight for vendors as that data provides enormous value for security teams," he writes.
A Growth Market?
Deployment of deception technology is mainly in the realm of Fortune 1000 companies, Turner contends.
Zelonis says there's been a fair amount of buzz among vendors around deception; they see it as a growth market. But he claims that many enterprises, so far, have given the technology a luke-warm reception. "Generally, it's just something else on their network that they have to deal with," he says.
For successful deception deployment, an adversary has to trigger the deception capability, Zelonis says. Plus, an adversary in the real network may not branch out into the fake one, and the deception system is useless in detecting someone in the real network, he adds.
"If the stars align and you're pulling something out of the network based on this, then it's probably great," Zelonis says. "But the vast majority of clients I talk to aren't really interested, and the ones who are haven't had success."
Venture capitalists, however, have been strongly interested in deception technology. For example, Strategic Cyber Ventures, a Washington-based firm, has invested in TrapX, which is based in San Jose, Calif.
Hank Thomas, SCV's co-founder and CEO, says that deception has to be integrated into a broader security strategy.
"I think the people that haven't seen value in it are the ones that have deployed deception as an afterthought and they sprinkled it around their network like a minefield, and it was a very poorly placed minefield," he says. "But the ones that are including it in a broader security strategy ... are seeing a lot of value in it."
A good decoy can force the attackers to move slower while also raising the costs around an attack, which are aspects that are harder to value, Thomas says. "A lot of times people forget that one of the big payoffs for an effectively deployed deception campaign is getting in the heads of the adversary."
Thomas says he knows about one organization that used deception around CCTV cameras, deploying ones that showed a somewhat interesting but non-sensitive image. He thinks that deception might be good particularly around IoT devices, which are often attacked first.
With the CCTV deception, "it was effective enough that they were able to lure them [the attackers] into a secondary trap," Thomas says.
Product or Feature?
Thomas says the market growth around deception has been slower than anticipated, but it is gaining steam. There's been somewhat of a debate, however, about whether deception technology will continue as a stand-alone product or become a feature.
Zelonis and Turner expect consolidation, with larger IT security vendors incorporating deception into other product lines. Admins don't want another pane of glass to monitor, Thomas says, so it makes sense to consolidate.
The sweet spot for deception vendors so far has been large organizations, such as banks, that have security teams that can dedicate the attention needed to make deployment successful, Turner says. "There's no point in deploying this stuff if you don't have the ability to draw full advantage from all the learning you can do," he says.
Turner expects deception will likely become an offering from managed service providers or managed security service providers. That will likely make it more accessible to smaller companies.
"Smaller companies will then be able to take this as a managed service, which is probably what you're going to want if you don't have a very big security team," Turner says.