A new report from research firm Gartner Inc. claims that deception techniques in IT security tools have evolved...
to the point where they will become increasingly popular in the near future. But, according to one expert, that popularity may not be the best thing for this type of defense.
Gartner admits that deception tools are not new. Honeypots have been around a long time, as have security experts calling for the use of deception as an offensive IT security tool. But the technology has evolved to make it far easier to implement.
According to Greg Enriquez, CEO of cybersecurity firm TrapX Security Inc., based in San Mateo, Calif., new deception-based tools don't require the burdensome installation and management of a traditional honeypot.
"Honeypots have been around since the late '90s, and many organizations would have liked to implement honeypots," Enriquez said. "But the problems of the past were that you needed smart people to build them; you had to build them yourself, deal with open source tools [and] you usually had to use full operating systems. Therefore, they got patched or updated by the network or other security tools; and then, you had to manage them and make sure they weren't turned against you or left alone to be exploited."
Enriquez said new deception tools, such as TrapX's DeceptionGrid, automates much of this process and uses emulation to make management easier.
"It is an emulation of an operating system; it is not a real operating system. So, it cannot be used against you or further exploited. You have full control over that environment," Enriquez said. "We are alerting on the first touch by attackers to either update other tools or draw attackers in further. We deploy on a VLAN, scan what's out there, then we put an emulation next to those production assets and whitelist anybody internally who may need to touch that asset."
According to Enriquez, this reduces false positives by ensuring that alerts only happen when a breach has occurred and an attacker is trying to escalate privileges or expand their reach in an environment.
However, Enriquez did admit that because the product wants only high-fidelity alerts, it will not catch targeted attacks, where an adversary knows exactly what it wants and where to find it.
"If an attacker knows exactly where they're going -- they've breached an endpoint; they spear phish you and once they get you, they know they're going to someone you talk to and go point to point -- then, we're not likely to see them," Enriquez said. "If they hit an end user and they know who the admin is, we're not likely to see them. But if they hit and end user and have to go look for the assets they're interested in, then we will see them."
Enriquez said the DeceptionGrid will provide additional visibility on "east-west traffic," -- traffic flowing between devices and applications on a network -- take away complication associated with traditional deception technologies, and feed other security products with real-time alerts. Malware that is injected can be recorded and passed on to a sandbox, firewall rules can be updated, and IP addresses can be blocked.
Depending on where an attacker is seen, different actions can be taken, including sending false information back to a command-and-control server, leaving "breadcrumbs" to lure attackers to fake assets, capture malware and delay the attacker's tool selection, or provide false credentials, which the Gartner report said "may take a week for the attacker to crack," despite the credentials being useless.
Charles Henderson, vice president of managed security testing at Chicago-based Trustwave Holdings Inc., said this type of security technology can be very useful in making an attack more difficult, lengthen the time of attack and raise the costs for attackers -- but only for certain organizations.
"For the advanced user that's already doing the basics of security and is doing them well, but is worried about that determined attacker, [deception technology] is the kind of thing that might not necessarily prevent, but can lengthen the time of a successful attack," Henderson said. "And all of those things that you've got in place, like your SIEM, can come together and are given more time to detect and allow you to repel the attack. Because it complicates the attack, you stack the deck in your favor."
Henderson said deception technology would be very valuable for organizations such as the Department of Defense and can customize the tools for their environments, but warns that these tools have a downside in that they may become less viable as they become more popular.
"They aren't going to use commercially available, off-the-shelf deceptive technology," Henderson said. "The reason being that if you have a technology that the attackers can get access to, they can model their attack after that same technology. So, it's only valuable if they are unaware of the technology, or do not have the capability to research the technology in their own environment."
According to Henderson, a key to deception technology is going to be either limited adoption, or a diverse ecosystem of tools to prevent adversaries from being able to map out an attack.
"If you're going to be lying to someone, you better be telling them a unique lie," Henderson said. "Even if you have entropy built into your deception technology, once it becomes a known technology or a known commercial offering, it defeats itself, as it achieves market penetration."
Henderson said deception technology has value as a piece of a security landscape, because it can complicate attacks, but warned that the basics of security should not be forgotten in favor of the newest tools.
"Like many things in security, the fear is that you're going to have people that see this and think, 'If I adopt this technology, I don't have to worry about the fundamentals of security,'" Henderson said. "We've seen this movie before. Good fundamentals, like security testing, using complex passwords, multifactor authentication or finding and patching vulnerabilities, those things are still going to give you more bang for the buck than the new, nifty security technology. Security basics have staying power because they aren't diminished by your peers doing it."