Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The ins and outs of deception for cyber security

Carolyn Crandall, CMO, Attivo Networks | Jan. 7, 2016
Today’s deception technologies abandon reliance on known attack patterns and monitoring and use advanced luring techniques and engagement servers

This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

It is no longer debated that a prevention only security strategy is enough. Security teams must go on the offense and create an environment that provides continuous real-time detection against an ever-changing landscape of cyber threats, and deception tools can play a critical role.

Deception as a strategy has been used for years in war and, notably, by cyber attackers. However, using deception to address threats that have bypassed traditional prevention security measures is an emerging and additional line of defense.  Today’s deception-based technology abandons the reliance on known attack patterns and monitoring, and instead uses advanced luring techniques and engagement servers to entice an attacker away from valuable company servers.

According to the Ponemon Institute it takes 46 days, on average, before an attack by hackers can be fully resolved. Deception, on the other hand, detects hackers throughout the phases of the kill chain cycle, preventing them from completing their mission.

To understand deception and decoy technologies, it’s important to understand the terms security teams, security solution providers, industry analysts, editors and others use, and sometimes misuse.  Key terms include:

Kill Chain Cycle – Is a definition of the steps taken within a cyber attack and includes: 1. Reconnaissance 2. Initial compromise 3. Establish foothold 4. Escalate privileges 5. Internal reconnaissance 6. Move laterally 7. Maintain Presence 8. Continue to escalate privileges until the attacker completes their mission.

Honeypot – A honeypot is a server, computer or network that appears to be an integral part of an organization’s network or network of networks, but is in reality bait for hackers.  The IT or security team installs honeypot software on these devices and connects them to the network.  Hackers will scan the network for weaknesses and attempt to break in. When they break in, they won’t find anything, and will then attempt to run their malware.  Because the malware has no impact, the hacker will attempt to install additional malware or simply move on.

Honeynet – A honeynet is simply two or more honeypots on a network.  IT and security teams deploy honeynets to protect larger networks or networks containing diverse types of information. Honeypots and honeynets were among the first deception-based technologies used by IT and security teams. These solutions are generally based on emulating an environment and without regular updates, may be recognized and detected by an attacker over time. Lack of a central management UI adds to the operational cost and complexity of managing these solutions.

Deception Engagement Servers – Deception techniques are similar to a honeynet in their use of engagement servers to lure an attacker into their trap. However with deception, advanced use of endpoint and distributed engagement servers are used to actively attract an attacker.  In addition to real-time detection, advanced solutions will provide the ability to communicate with a command and control center along with the forensics required to update prevention systems and shut down attacks. Advancements in technology have also made deception solutions non-disruptive to deploy and non-resource intensive to manage. A comprehensive deception platform will be scalable and take a deception everywhere approach, supporting user networks and data centers across private, public and hybrid cloud environments. Some may refer to a deception engagement server as a honeynet on steroids.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.