Security and risk management leaders looking for tools to build or expand their threat detection and response function should include deception tools and technologies in their stack.
Deception platforms are centrally managed systems for organizations to create, distribute and manage an entire deceptive environment and its related architectural elements. These decoy workstations, servers, devices, applications, services, protocols, data elements or users, which are often virtualized, essentially indistinguishable from real assets and identities, and are used as lures to entice, engage and detect an attacker.
How Does Deception Work?
The Security Team will play a central role by preparing a campaign that reflects what the organization wants to protect, and by monitoring the alerts coming from the deception tool. Once the use case has been selected, the tool will facilitate the creation of a targeted campaign to achieve that goal.
The Deception Tool, once told what type of campaign to run, will generate and deploy artifacts like fakes, decoys, lures or other breadcrumbs. To create artifacts that look real and improve on the believability rate, the deception tool will scour several organizational information repositories to understand the naming conventions that the organization is using. Once the artifacts have been generated, the campaign will dictate where they need to be installed, and the deception tool will manage their deployment using virtualization techniques or cloud-based zero footprint approaches.
The Attacker will often use an approach derived from the Cyber Kill Chain model from Lockheed Martin, and will undergo four risky phases where they can be exposed, which are Reconnaissance, Lateral Movement, Data Gathering and Delivery.
Proveho Networks Deception Technology Framework and Evolution
Value Proposition
Deception tools can augment or potentially replace threat detection and response (TDR) approaches in important ways, capable of providing low false positive, high-quality data and telemetry that is very valuable and immediately actionable.
Deception tools force a paradigm shift by approaching threat detection as a “right data” problem, rather than a “big data” problem like SIEM, UEBA or NTA vendors posit.
Contrary to more traditional approaches to security, where the defender has to be right 100% of the time and the attacker just needs to be lucky once, deception tools can turn this model upside down. Now the attacker has to be right 100% of the time or trip a mine, and the defender just needs to be lucky once and a mine trips.
Deception tools offer high-quality alerts via an easy-to-manage ecosystem of simple landmines that nobody is supposed to touch.
“By 2022, 25% of all threat detection products will embed deception features and functionality, up from less than 5% today.”
“By 2022, 25% of all threat detection and response projects will include deception features and functionality, either embedded in their current vendor’s threat detection technology stack or through pure-play deception platforms, up from 5% today.”
