Deception technology
Overview
Deception technology is an emerging category of cyber security defense. Deception technology can rapidly detect, analyze, and defend against zero-day and advanced attacks often in real time. Deception technology is automated, highly accurate,[1] and shares insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture. Deception technology seeks to deceive the attackers, detect them decisively and then effectively defeat them allowing the enterprise to return to normal operations.
Existing defense-in-depth cyber technologies have struggled against the increasing wave of sophisticated and persistent human attackers. These technologies seek primarily to defend a perimeter. Both firewalls and end-point security cannot defend a perimeter with 100% certainty. It is clear that cyber-attackers can penetrate these networks and then continue to move unimpeded for many months during which time they steal data and intellectual property. Heuristics may find an attacker within the network, but often generate so many alerts that critical alerts are missed. Since 2014 attacks have dramatically accelerated and there is evidence that cyber-attackers are penetrating traditional defenses at a rapidly increasing rate.
Deception technology considers the human attacker's point of view and methodology for exploiting and navigating networks to identify and exfiltrate data. Deception technology fills the gap and extends the power of the traditional cyber defense. Deception technology integrates with existing technologies to provide new visibility into the internal networks, share our high probability alerts and threat intelligence with the existing infrastructure.
Technology - High Level View
Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have successfully penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or, are instead emulations of these devices.
Traps (decoys) which use emulations can also imitate medical devices, automated teller machines (ATMs),[2] retail point of sale systems, switches, routers and much more. Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets.
Upon penetrating the network, attackers seek to establish a backdoor and then use this to identify and exfiltrate data and intellectual property. They begin moving laterally through the internal VLANS and almost immediately will "look at" one of the traps (decoys). Upon reading the internet protocol address ("looking at" a trap) this triggers an alert. These alerts are very high probability and almost always coincident to an ongoing attack. The deception is designed to lure the attacker in - the attacker may consider this a worthy asset and continue by injecting malware. Deception technology generally allows for automated static and dynamic analysis of this injected malware and provides these reports through automation to the security operations personnel. Deception technology may also identify, through incidents of compromise (IOC) suspect end-points that are part of the compromise cycle. Automation may also allows for an automated memory analysis of the suspect end-point, and then automate the isolation of this suspect endpoint. Many partner integrations allow for a variety of implementation paths for existing enterprise and government customers.
The technical innovation of deception technology been received by the market. A leading industry analyst identified ten top technologies for information security in 2016 which included deception technology.
Specialized Applications for Deception Technology
Internet of things (IoT) devices are not scanned by legacy defense in depth cyber defense and remain prime targets for attackers within the network. Deception technology can identify attackers moving laterally into the network from within these devices.
Integrated turnkey devices that utilize embedded operating systems, but do not allow these operating systems to be scanned or closely protected by embedded end-point or intrusion detection software are also well protected by a deception technology deployment in the same network. Examples include process control systems (SCADA) used in many manufacturing applications on a global basis. Deception technology has been associated with the discovery of Zombie Zero,[3] an attack vector wherein deception technology identified an attacker utilizing malware embedded in barcode readers which were manufactured overseas.
Medical devices are particular vulnerable to cyber attacks within the healthcare networks. As FDA certified devices they are closed systems and not accessible to standard cyber defense software. Deception technology can surround and protect these devices and identify attackers using these for backdoor placement and data exfiltration. Recent documented cyber attacks on medical devices include x-ray machines, ct scanners, mri scanners, blood gas analyzers, pacs systems and many more. Networks utilizing these devices can be protected by deception technology. This attack vector is called medical device hijack or medjack is estimated to have penetrated the many of the hospitals on a global basis.[4]
Specialized deception technology products are now, for perhaps the first time, substantively addressing the rise in ransomware. Select products[5] can deceive ransomware into engaging in an attack on a decoy resource, while isolating the infection points and alerting the cyber defense software team.
History of Deception Technology
Honeypots were perhaps the first very simple form of deception on the cyber battlefield. A honeypot appeared simply as an unprotected information technology resource and presented itself in an attractive way to a prospective attacker already within the network. The notion of honeypots deceiving attackers, perhaps delaying and identifying them, and then ultimately supporting efforts to shut down the attack was a good one. Potential benefits aside, most early Honeypots exhibit challenges with functionality, integrity and overall efficacy in meeting these goals. Key was the lack of automation that enabled broad scale of deployment. A deployment strategy would seek to cover the enterprise where hundreds, thousands or even tens of thousands of VLANS must be protected won't be economically efficient using manual processes and manual configuration.
The gap between legacy honeypots and modern deception technology has diminished over time and will continue to do so. Modern honeypots constitute the low end of the deception technology space today.
Differentiation from Competitive/Cooperative Technologies
Traditional cyber defense technologies, such as firewalls and endpoint security, generate many alerts. In a large enterprise the alert volume may reach thousands, hundreds of thousands or,in some cases,millions of alerts per day. Security operations personnel cannot process most of the activity easily if at all. Yet it only takes one successful penetration to compromise an entire network.
Deception technology produces alerts that are the end product of a binary process. Probability is essentially reduced to two values. 0% and 100%. Any party that seeks to identify, ping, enter, view any trap (decoy) or utilizes a lure is immediately identified by this behavior. This is a binary process - not probabilistic. If you touch these traps or lures this is clearly a violation - you should not be doing so. This is an advantage over heuristics and probability-based approaches and the many thousands of extraneous alerts these techniques generate.
Best practice shows that deception technology is not a stand-alone strategy. Deception technology is an additional compatible layer to the existing defense-in-depth cyber defense. Partner integrations make it most useful and the goal is to add protection for the most advanced and sophisticated human attackers that will successfully penetrate the perimeter.
Market Size and Adoption
A leading industry analyst predicted in August 2016 that the deception technology market is currently (in 2016) approximately $50 to $100 million globally, and further predicted $100 million to $200 million in revenue by 2018. This same analyst earlier noted that, “by 2018 ... 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers.” Gartner also noted deception technology as a "far underutilized technology that can provide serious advantages over attackers (cyber attackers)."[6]
Two other important analysts have recently predicted a market size exceeding $1 billion by 2020.[7] Adoption is being fueled, in part, by continued, highly visible targeted attacks on large enterprise and government institutions globally.
Participating Vendors
The list of participating vendors includes, but is not limited to:
Allure Security Technology, Attivo Networks, Cymmetria, ForeScout, GuardiCore, Hexis Cyber Solutions, Illusive Networks, LogRhythm, Percipient Networks, Rapid7, Shape Security, Specter, TrapX Security and Topspin Security.
References
- ^ Lawrence Pingree quotes in article http://www.csoonline.com/article/3113055/security/deception-technology-grows-and-evolves.html
- ^ "Payments Week Issue - go to page 42".
- ^ http://www.forbes.com/sites/kurtmarko/2014/07/10/trojan-hardware-spreads-apts/
- ^ http://www.surgicalproductsmag.com/article/2016/07/dangerous-state-medical-cybersecurity
- ^ http://www.healthcareitnews.com/news/trapx-launches-ransomware-deception-tool-cryptotrap
- ^ http://blogs.gartner.com/lawrence-pingree/2016/09/28/deception-related-technology-its-not-just-a-nice-to-have-its-a-new-strategy-of-defense/
- ^ http://www.cio.com/article/3113444/security/deception-technology-grows-and-evolves.html