September 2, 2015 By Jaikumar Vijayan 3 min read

Emerging deception tools and techniques, such as next-generation honeypots and decoy systems, could have a game-changing impact on enterprise security strategies. That’s according to a new Gartner report titled “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities,” which examined the potential for organizations to use deception as a strategy for thwarting attackers and making it costlier for them to engage in threat campaigns.

Next-Generation Tools

According to Gartner, a new generation of distributed decoy technologies that employ deception as a way to misdirect intruders and disrupt their activities at multiple points along the attack chain are becoming available.

Enterprises should consider implementing such deception as an automated response capability because it represents a sea change in the future of enterprise security, wrote Lawrence Pingree, Gartner analyst and author of the report.

Ideally, the goal should be to implement a capability so that when an intrusion is detected, the threat actors and compromised systems are automatically isolated into a “network deception zone,” Pingree said in the report. They should be “provided with what is equivalent to a hall of mirrors, in which everything looks real, and everything looks fake,” he wrote.

Delay and Deflect

The effort should be to delay attackers and force them to spend more time and effort figuring out what is real and whether to proceed with an attack. Several existing security tools offer deception capabilities or can be relatively easily tweaked to provide a disruptive deception capability, Pingree said in the report.

Examples of specialized distributed decoy tools include those from vendors like Attivo Networks, TrapX, Cymmetria and GuardiCore. Tools from these vendors specialize in deceiving attackers into seeing things that are not there on the network or luring them into believing they have accomplished a task when they have not. Some tools, for instance, create fake systems and network components that look and act exactly like real assets.

Existing Tools for Enterprise Security

Deception can be implemented with existing tools, as well. For example, firewalls with blacklists, intrusion prevention, URL filtering and similar capabilities can be set to transport connections from known malicious hosts to network emulation services or to deception decoy services within the enterprise network.

Standalone intrusion prevention appliances from vendors like IBM, Cisco, HP and Intel can similarly be leveraged to implement deceptive measures at the network protocol layer. Even basic measures like TCP tarpits — where a device responds appropriately to a TCP handshake request but never opens a connection — continues to be an effective response to mass TCP port scans.

Similarly, endpoint protection and endpoint detection and response tools can be leveraged to implement deception at the malware host layer, Pingree said. For example, an unknown binary could be deceived into believing it is operating within a virtual environment, or it could be forced to go dormant by emulating processes that look like several versions of antivirus are running on the host.

Attack Chain

Deception technologies and techniques can be deployed along the entire attack chain, Pingree said. During the reconnaissance stage when an attacker might be scouting the network, deception can be used to provide the attacker with false information on the topography and the assets on the network.

Similarly, during the weaponization stage, when an attacker is figuring out what tools to use in an attack, deception can be used to delay the attacker’s tool selection process, the report noted. Suspicious software could be forced to run for longer periods of time in a sandbox environment, or false information pertaining to the operating system and application could be fed to it. Deceptions can similarly be employed at the malware delivery, installation and exploit stages.

By 2018, expect to see 10 percent of all enterprises use such techniques, the report predicted. Factors that could inhibit adoption include fear of false alerts and deception believability. But should vendors continue to develop these tools and organizations evolve their security strategies, enterprise security can be in a better position to protect against attacks.

More from

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

Stress-testing multimodal AI applications is a new frontier for red teams

5 min read - Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different "modes" of information into a consolidated picture of reality.We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT 4.0 can reason across text, vision and audio, granting…

Cybersecurity awareness: Apple’s cloud-based AI security system

3 min read - The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns created by the technology, especially as AI is used in cloud systems. Apple addresses AI’s security and privacy issues head-on with its Private Cloud Compute (PCC) system.Apple seems to have solved the problem of offering cloud services without undermining user privacy or adding additional layers of insecurity. It had to do so, as Apple needed to create a cloud infrastructure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today