Hide your needle in a haystack

Deception technologies take an entirely different approach to protecting computer networks

Since the earliest days of information security, the strategy to combat online threats has been “Detect and Block.” Firewalls check and control inbound and outbound network traffic, blocking known threats. Now, Deception technologies introduce a new, proactive way of protecting computer networks.

When Firewalls Fail

Firewalls guard the network perimeter against intrusion by, carefully checking and controlling all incoming and outgoing traffic much like a security guard at a concert venue or shopping mall. No dangerous weapons or glass bottles are allowed to enter. No stolen merchandise leaves the premises undetected. 

Another metaphor for network security is airport security and its dynamic, multi-layered approach. Airport security personnel can x-ray every passenger and their luggage, perform further physical inspections, question you about your background, travel activities and run your picture and ID through an up-to-date system of known threats and suspects.

All of these techniques are woven together; constantly updated, tested and re-configured to keep pace with the barrage of threats as quickly as they develop. Security companies employ teams of top researchers to chase down new threats and publish updates and information to customers. Network Security and IT professionals are constantly on guard checking systems and deploying the latest updates, but this strategy is essentially reactive. They are cops chasing robbers; always scrambling to keep up with increasingly sophisticated and aggressive attackers who are developing at a hyper-accelerated rate.

Reactive cybersecurity has another inherent vulnerability; information. Any time an attack agent is detected and blocked, the attacker learns valuable information about the network and its security protocols. There has been relatively little innovation in how systems react to detected breaches. Simple, automated responses including log, reject, drop or quarantine are easily detected by the attacker. Every time one of these known responses is activated, the attacker is immediately notified that it ‘tripped a wire’ and learns how to avoid it in the future. These reactive Detect & Block security systems actually help attackers by providing rich information about security tools and policies. Attackers quickly adapt and become even more dangerous.

In fact, the most sophisticated attackers use automated tools that can learn from the responses of network protocols, endpoint servers, OS behaviors and data to learn about the network and plan their next attack.

Next-Generation Defense

Realizing they were stuck in a race they would never win, a new generation of cybersecurity professionals began experimenting with an entirely different approach, protecting network assets by using deceptive tactics such as decoys and camouflage. Long used by the Department of Defense, but only very recently available to other government agencies and corporations, Deception technologies employ diversions that trick attackers into revealing themselves.

The oldest and most commonly deployed Deception Technology is honeypots or honeypot sensors. As s the name suggests, honeypots are bait put out to appear like a valuable network resource, luring in an attacker and thereby thwarting the attack of real resources, a process known as ‘blackholing’. It’s like leaving a stack of fake $100 bills on your kitchen table and hoping any potential burglar who manages to enter your home will take the pile of notes and then leave the safe with the real money alone.

Honeypots are now in wide use, generally as a complementary layer to enhance traditional Detect & Block network security configurations. However, a new generation of Deception Technologies is poised to flip the entire security paradigm on its head. Instead of targeting malware and suspicious activity protocols to defend computer resources, Deception Technology is about being proactive--using “threat deception as a threat response tactic,” according to Gartner. (https://www.gartner.com/doc/3096017/emerging-technology-analysis-deception-techniques).

The emerging generation of Deception Technologies creates an illusive layer of false information throughout the network making it impossible for attackers to gather information and plan the next stage of an attack. This unreliable mix of real and false information makes decision making impossible. Unable to distinguish truth from deceit, attackers are left impotent, unable to carry out a malicious breach. When suspicious activity is detected administrators have a choice; shut down the breach immediately or continue to observe the attacker in a real-time forensics mode.

The underlying strategy of deception technology: The tools developed and deployed against systems are a quickly moving target, but the criminals and terrorists behind cyberattacks are mere humans. Humans rely on discovering new information to make decisions. Humans can be fooled by lies and thrown off track by false information.

In the future, we will not depend on virtual moats and firewalls to protect our most sensitive network resources. Soon we will disguise them with a rich network of imposter resources that are indistinguishable to thieves. Instead of being exposed to cybercriminals and terrorists, Deception Technologies will expose them to us.

Deception Technology Vendors

Rapid7 LogRhythm ForeScout Shape Security Attivo Networks Acalvio Technologies Illusive networks GuardiCore Cymmetria TrapX Security Minerva Labs CounterCraft Allure Security Technology CyberTrap Software Smokescreen Technologies Hexis Cyber Solutions TopSpin Security (Acquired by Fidelis Cybersecurity) Ridgeback Network Defense Percipient Networks Symantec Endpoint Protection