Emerging deception tools and techniques, such as next-generation honeypots and decoy systems, could have a game-changing impact on enterprise security strategies. That’s according to a new Gartner report titled “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities,” which examined the potential for organizations to use deception as a strategy for thwarting attackers and making it costlier for them to engage in threat campaigns.
According to Gartner, a new generation of distributed decoy technologies that employ deception as a way to misdirect intruders and disrupt their activities at multiple points along the attack chain are becoming available.
Enterprises should consider implementing such deception as an automated response capability because it represents a sea change in the future of enterprise security, wrote Lawrence Pingree, Gartner analyst and author of the report.
Ideally, the goal should be to implement a capability so that when an intrusion is detected, the threat actors and compromised systems are automatically isolated into a “network deception zone,” Pingree said in the report. They should be “provided with what is equivalent to a hall of mirrors, in which everything looks real, and everything looks fake,” he wrote.
Delay and Deflect
The effort should be to delay attackers and force them to spend more time and effort figuring out what is real and whether to proceed with an attack. Several existing security tools offer deception capabilities or can be relatively easily tweaked to provide a disruptive deception capability, Pingree said in the report.
Examples of specialized distributed decoy tools include those from vendors like Attivo Networks, TrapX, Cymmetria and GuardiCore. Tools from these vendors specialize in deceiving attackers into seeing things that are not there on the network or luring them into believing they have accomplished a task when they have not. Some tools, for instance, create fake systems and network components that look and act exactly like real assets.
Existing Tools for Enterprise Security
Deception can be implemented with existing tools, as well. For example, firewalls with blacklists, intrusion prevention, URL filtering and similar capabilities can be set to transport connections from known malicious hosts to network emulation services or to deception decoy services within the enterprise network.
Standalone intrusion prevention appliances from vendors like IBM, Cisco, HP and Intel can similarly be leveraged to implement deceptive measures at the network protocol layer. Even basic measures like TCP tarpits — where a device responds appropriately to a TCP handshake request but never opens a connection — continues to be an effective response to mass TCP port scans.
Similarly, endpoint protection and endpoint detection and response tools can be leveraged to implement deception at the malware host layer, Pingree said. For example, an unknown binary could be deceived into believing it is operating within a virtual environment, or it could be forced to go dormant by emulating processes that look like several versions of antivirus are running on the host.
Deception technologies and techniques can be deployed along the entire attack chain, Pingree said. During the reconnaissance stage when an attacker might be scouting the network, deception can be used to provide the attacker with false information on the topography and the assets on the network.
Similarly, during the weaponization stage, when an attacker is figuring out what tools to use in an attack, deception can be used to delay the attacker’s tool selection process, the report noted. Suspicious software could be forced to run for longer periods of time in a sandbox environment, or false information pertaining to the operating system and application could be fed to it. Deceptions can similarly be employed at the malware delivery, installation and exploit stages.
By 2018, expect to see 10 percent of all enterprises use such techniques, the report predicted. Factors that could inhibit adoption include fear of false alerts and deception believability. But should vendors continue to develop these tools and organizations evolve their security strategies, enterprise security can be in a better position to protect against attacks.