Imagine that once malware is detected in an end user's environment, the user's systems had the ability to begin to lie to the attacker at the other end of the command-and-control console, to the malware itself on the infected endpoint, or both. Rather than just batting the attacker away, you’d effectively be playing it at its own game.
Deception technologies are defined by the use of deceits and/or tricks designed to thwart, or throw off, an attacker's cognitive processes, disrupt an attacker's automation tools, delay an attacker's activities or disrupt breach progression. Deception in this context is used as a technique for defensive or disruptive purposes, and is not offensive in nature.
These capabilities are now becoming a reality, according to Lawrence Pingree, research director at Gartner. “Deception techniques, such as honeypots, are not a new concept in security; however, new techniques and capabilities promise to deliver game-changing impact on how threats are faced,” says Pingree. “Today's honeypot has evolved toward greater automation, and offers enterprise-class features and operations capabilities.”
A deception wave is imminent
For the past 20 years, most active security control responses built into network security products have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and quarantine. These response actions have had very little innovation or evolution beyond these more-simple automated response concepts.
Although these responses are effective at both detecting and blocking individual attacker attempts, responses such as reject and drop are widely visible to a skilled adversary and allow an attacker to rapidly identify when they are detected. These basic defensive actions must evolve so that a strong hold against the attacker can be maintained.
Why leverage deception?
By 2018, Gartner predicts that 10% of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers. More forward-thinking organizations should leverage deception in-depth as a new strategy for comprehensive threat defense against the onslaught of advanced attackers and attack techniques. This is especially true of larger organizations under constant threat — for example, those in the financial services, healthcare, government and software verticals.
Intelligence-led deceptions are crucial to disrupting the attacker
Threat intelligence sharing continues to provide significant improvement in security for many organizations. This threat intelligence data could lead us toward intelligence-led deceptions - where a threat actor that is known to originate from a certain location, or uses a certain pattern of engagement, can be led astray, versus given access to sensitive systems, applications and data types.
This tactic can enable threat management teams to assert more active control of an attacker, its activities throughout the enterprise environment, and allow organizations to track and share even greater intelligence on threat actors. After all, the most critical reason to use deception is to delay an attacker and force it to spend more time, causing it economic harm while it tries to figure out what is real and what is not, and whether to proceed.