Concepts acquired from the military field are everywhere in cybersecurity – think defense in depth, situational awareness, intelligence, counter-intelligence… The list is long. In this post, I’m going to talk about one of them – deception – not because it’s new, but because I think it’s going to become really important in the upcoming years.
Deception as a concept applied to cybersecurity has been around for a while. It’s the idea behind honeypots, honeynets and honey tokens. What’s new is that these products are maturing, allowing simple but customized deployment and scalability thus making them suitable for corporate environments. The generic name given to these new products is Distributed Deception Systems (DDS).
To better understand the benefits of these solutions, we need to put on the shoes of an attacker. We’ll choose one who has successfully compromised a computer – by spear phishing, for example – in a network where deception points have been deployed across a wide range of vectors such as user accounts, office documents, network services, mobile phones, servers, printers, etc.
As an attacker, invisible, blanket deceptions can be a real nightmare. We can’t know which of the services and systems that we can see from the system we’ve compromised are authentic and which ones are deceptive. And the same thing happens with the local accounts that we can see and try to re-use on a different system.
In effect, we’re taking decisions in the dark. We’re blind. So, the result is that any wrong step we make, can trigger an alert that compromises all our attack efforts and puts our mission in jeopardy.
This is a real game changer. Previously, target organizations could never gain the upper hand. We were free to make all the attempts we wanted to and only needed one single success to win the battle. Defenders, however, needed to be successful all the time – one single mistake and they could lose the match.
Deception irons out some of the asymmetry in cyberwarfare. Thanks to deception technology, one single mistake will unmask us and enable the defenders to detect the attack before it’s too late.
Another big benefit of the DDS solutions for organizations is that the false positive ratio is usually really low since most of the time, only a real attacker will fall into the deception. On top of this, the quality and amount of information that the alerts provide is much richer than that obtained by traditional security solutions. Full control over what the attacker is allowed to do enables the organization to keep the attacker busy in order to obtain additional valuable information.
Because of this, these new deception solutions not only allow security teams to decrease the time to detection (TTD) after an asset has been compromised, but also will increase the attacker’s time to compromise (TTC), as they will require more time to find their objective and to figure out how to reach it without being deceived. Defenders increase the time they have to react to an attack and to learn from the attacker actions in order to be better prepared against future malicious activity, or even find out who’s behind the attack. And this can definitely make the difference between a headline-hitting mega-breach and just another failed attack.
We need to keep in mind that this breed of deception technologies is not going to replace the traditional approaches of detection and prevention but needs to be seen as a way to complement them by providing an extra layer of security that comes into play when the attacker lands on their target network.
So, watch this space. For the reasons I’ve listed, I’m convinced that in the upcoming years we’ll be seeing a massive adoption of those DDS technologies on corporate environments as well as a big increase on presence and maturity on the deception solution market.