Deception credentials – These are the lures placed on endpoint devices that work dynamically with deception engagement servers to actively draw attackers away from the enterprise’s servers and get them instead to engage with the deception engagement server.
Engagement or Deception Servers - Deception providers use high interaction engagement servers that will lure, trap, and analyze an attack. Engagement or deception servers run real or emulated OS and services, support virtualization, and can be customization for layer 2-7 deceptions. They can be located in a private datacenter as well as private, hybrid and public clouds. In addition, they have a self-healing environment which, after containing and analyzing an infection, can safely destroy the infected VM and rebuild itself for the next attack. Mature platforms will also have the ability to engage with C&C servers so that additional data about the attacker’s methods and intent can be understood.
Emulation – Emulation uses best efforts to copy an environment to deceive an attacker into engaging. Since emulation is a thin copy, it can’t match exact OS and services they are running. Given their static nature they can be easier for an attacker to detect.
Real Operating Systems – Real operating systems and services provide significantly better authenticity over emulation solutions because they use active licensed software that is loaded on the engagement server. These solutions can be customized by turning on or off operating systems and services to match a company’s environment. Solutions that allow the loading of a company “golden image” provide an environment that is virtually indistinguishable from company servers. Maintenance of these operating systems and services is provided by the deception manufacturer under a standard support agreement. There should not be additional costs or resources required to maintain this software.
Friction-less (Non-disruptive deployment and management) – Deception solutions should integrate seamlessly with existing security infrastructure and should play an active role in an organization’s continuous defense strategy by enabling real-time threat detection. By design, they should not require any signature or database look up, require network topology or traffic changes or require heavy computation to detect an attack.
Threat intelligence – When a BOT or APT is engaged, the solution should run full forensics to capture methods and intent of the hacker. It should include a threat intelligence dashboard and a full range of indicators of compromise (IOC) reports to enable prevention systems to shut down current attacks and prevent future ones.
False positives – Many monitoring systems will trigger an alert based on what may be BOT or APT activity. These solutions tend to generate a high volume of alerts that often are not an attack and are false positives. Deception solutions will not deliver a false positive since they only deliver an alert based on actual engagement with their platform. Advanced systems will provide the option to set alerts at low, medium or high for additional customization.
The shift to continuous detection
Sign up for CIO Asia eNewsletters.