Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Weighing the value of deception techniques for enterprises

Deception techniques aren't new to security strategies, but they could be on the rise. Is it really necessary for enterprises to hack back? Expert Kevin Beaver examines.

According to Gartner Inc., using "hack back" and deception techniques in enterprise IT is an increasingly popular...

method for fooling criminal hackers and thwarting attacks. It's almost a rebirth of the decades-old honeypot approach to security. These new deception techniques promise to reduce false positives and increase visibility over traditional honeypots. It could certainly provide certain businesses with security intelligence that might not otherwise be available. Similarly, organizations that have been attacked will use a long-standing technique that has had a recent revival and will lawfully hack back. There is plenty of debate around the ethics of hacking back, and this tip will discuss the merits and drawbacks of an "offense is the best defense" approach to security.

Fix the small problems first

Deception techniques, as described by Gartner's recent report, or hacking back may not be an ideal approach for an average enterprise in the long term because reaction is not a strategy. It's important to focus first on doing what it takes to prevent an environment from being easily attacked. It's safe to say that most enterprises have not done everything they can to fix the basic issues that are known to cause problems, such as weak passwords, missing patches, poorly or improperly implemented antimalware protection, untested or unresolved Web security flaws, mismanaged and undersecured unstructured information, unencrypted laptops, and unmanaged phones and tablets that access and store sensitive information.

Deception techniques could instigate the attackers even further. Is the network, the team and the business ready to handle the potential repercussions?

Resolving the handful of issues that are known to cause the majority of problems is basic Pareto Principle implementation. These issues are also commonly identified the findings of the Verizon Data Breach Investigations Report, studies from the Ponemon Institute and many others. Yet they are still ignored in so many cases. Perhaps it's by choice -- i.e., they're too "basic" to really solve big problems -- or perhaps it's through ignorance -- i.e., the flaws haven't yet been uncovered. Regardless, if organizations focused on the issues that have been shown to cause problems before resorting to hack back techniques, they could improve security.

Take modern society, for example; there's a pill for almost every ailment today, including prediabetes and diabetes. Research has shown for decades that carbohydrates in excess are bad for the human body, and that people should take steps to reduce carbs in their diets. When I discovered I was insulin-resistant, I followed this basic advice and was able to quickly resolve everything diabetes-related that was ailing me, including my inability to lose weight no matter how much, or how hard, I exercised. Over the past decade, the research has been further refined to the point where we know how to virtually eliminate type-2 diabetes. Yet, still, half of Americans are diabetic or prediabetic. This scenario plays itself out in information security, across businesses and government agencies of all sizes to this day. As author Ayn Rand said, "The hardest thing to explain is the glaringly evident which everybody had decided not to see."

What to consider before adopting 'hack back' and deception techniques

There isn't zero value in using hack back and deception techniques when it comes to enterprise security. There's no doubt that deception techniques can add some value, especially in federal government scenarios where these approaches are already being used to thwart advanced persistent threat groups and nation-state hackers. It would surely be more fun than fighting the security fight from a defensive perspective. But keep in mind that deception techniques are not necessarily the same as hacking back techniques, such as launching denial-of-service attacks and running exploits in attempts to obtain remote access. However, traditional deception techniques can be considered "offensive" measures. The mere act of luring attackers into a honeypot trap, getting them to do things they might not otherwise do, using up their resources to try to penetrate the wrong targets, and the like, could be shown to be more than just passive measures.

Still, the average business is probably not ready to take on such an approach because there are many considerations such as:

  • Where do you start? Who heads up such efforts?
  • How do you set rules of engagement?
  • Do you have a policy, procedures and a set of standards documented for this approach to security like you have for the defensive side?
  • What do you do with the information?
  • Will executive management and legal be involved?
  • When do you grow the practice?
  • When do you know when to stop counterattacks?

Let's say there's an ultra-sharp team of people, including former military, NSA and perhaps even some ex-con hackers, working on the enterprise's offensive security program, is it truly in the best interest of your business mission for these people to fight back when the attacks start? Fighting back in the physical sense is often the only option for survival, but is that necessary to secure ones and zeroes? Deception and hack back techniques could instigate the attackers even further. Is the network, the team and the business ready to handle the potential repercussions? If it gets out, how are such attacks going to reflect on the organization in the marketplace? What legal issues arise when it indirectly impacts innocent third parties when gathering attack information and/or hacking back?

For enterprises that truly have a handle on their information security programs, have maximum visibility and control along with minimal risks, these deception techniques might be just what's needed to take security to the next level. Until then, focus on what matters and fix the fixable. Otherwise, enterprises will be spinning their wheels and wasting valuable resources that would be better served elsewhere.

Next Steps

Learn the best way to reduce false positive security alerts

What enterprises should learn about security basics from the OPM data breach

Discover whether network port security is worthwhile for your enterprise

This was last published in December 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If your organization uses deception tools or 'hack back' techniques, do you think they're effective?
No, we don't use deception techniques but I think it's totally fine to use something like that as an additional tool in the box. 

Also I don't think it's realistic to think that a company should first focus on doing literally everything that they could do to prevent an attack. Seriously, who is ever going to get there? That's an unreachable goal. 
Deception Technology is absolutely not the same as “hacking back” and reaching Outside of your network to do harm. That’s totally different. Not remotely comparable. Once again, you are deceiving and identifying attackers that have no business being in your network before they steal your data and destroy your information technology assets.

Deception technology is just better at dealing with sophisticated attackers otherwise know as advanced persistent threats (APTs). It is no secret that the existing perimeter, end-point and intrusion detection legacy cyber defense suites are failing at an increasing rate to keep attackers out. Just read google news every day. The attackers are in just about every major enterprise.  

Deception technology is cool because it finds these attackers that the other cyber defense software misses. It is designed to find attackers that have already penetrated your network that the other guys have missed. It is really good at finding attackers moving quietly on your network from their backdoor (which might be in a medical device, an IOT device, industrial control system, whatever …) through your networks when every other technology has failed to detect the attacker. If you ask the guys/gals in the security operations center the number one goal is now reducing the time to breach detection. Deception tech can take it down from months to a few hours or a very few days. That’s the prize.

When did deception-level technology get associated with “hacking back?” I read the Gartner report Kevin is referring to and there’s nothing in it that ties deception to hacking back.

The report’s key findings suggest that deception as a defense strategy against attackers has merit, and can be an attractive new capability for larger organizations desiring advanced threat detection and defense solutions. Additional key findings in the report suggest:
- Many organizations don't understand what threat deception is; educating security buyers on its usefulness will be crucial to furthering adoption of deception technologies and concepts.
- Deception as an automated responsive mechanism represents a sea change in the capabilities of the future of IT security that product managers or security programs should not take lightly.
- Deception decoy sensor providers emerge to offer enhanced detection of east-west attacks by distributing sensors across an enterprise's internal environment, and mimicking enterprise endpoint services, applications and systems.
The word “hack” or “hacking back” isn’t mentioned anywhere in the report.