Deception technology
Deception technology is an emerging category of cyber security defense. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate,[1] and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive the attackers, detect them and then defeat them, allowing the enterprise to return to normal operations.
Existing defense-in-depth cyber technologies have struggled against the increasing wave of sophisticated and persistent human attackers. These technologies seek primarily to defend a perimeter, but both firewalls and end-point security cannot defend a perimeter with 100% certainty. Cyber-attackers can penetrate these networks and move unimpeded for months, stealing data and intellectual property. Heuristics may find an attacker within the network, but often generate so many alerts that critical alerts are missed. Since 2014 attacks have accelerated and there is evidence that cyber-attackers are penetrating traditional defenses at a rapidly increasing rate.
Deception technology considers the human attacker's point of view and method for exploiting and navigating networks to identify and exfiltrate data. It integrates with existing technologies to provide new visibility into the internal networks, share high probability alerts and threat intelligence with the existing infrastructure.
Technology: High Level View
Deception technology automates the creation of traps (decoys) and/or lures which are mixed among and within existing IT resources to provide a layer of protection to stop attackers that have penetrated the network. Traps (decoys) are IT assets that either use real licensed operating system software, or are emulations of these devices.
Traps (decoys) which use emulations can also imitate medical devices, automated teller machines (ATMs),[2] retail point of sale systems, switches, routers and much more. Lures are generally real information technology resources (files of varying kinds) which are placed on actual IT assets.
Upon penetrating the network, attackers seek to establish a backdoor and then use this to identify and exfiltrate data and intellectual property. They begin moving laterally through the internal VLANs and almost immediately will "look at" one of the traps (decoys). Interacting with one of these "decoys" will trigger an alert. These alerts are very high probability and almost always coincide to an ongoing attack. The deception is designed to lure the attacker in – the attacker may consider this a worthy asset and continue by injecting malware. Deception technology generally allows for automated static and dynamic analysis of this injected malware and provides these reports through automation to the security operations personnel. Deception technology may also identify, through indicators of compromise (IOC), suspect end-points that are part of the compromise cycle. Automation also allows for an automated memory analysis of the suspect end-point, and then automatically isolating the suspect end-point. Many partner integrations allow for a variety of implementation paths for existing enterprise and government customers.
Specialized Applications
Internet of things (IoT) devices are not usually scanned by legacy defense in depth cyber defense and remain prime targets for attackers within the network. Deception technology can identify attackers moving laterally into the network from within these devices.
Integrated turnkey devices that utilize embedded operating systems, but do not allow these operating systems to be scanned or closely protected by embedded end-point or intrusion detection software are also well protected by a deception technology deployment in the same network. Examples include process control systems (SCADA) used in many manufacturing applications on a global basis. Deception technology has been associated with the discovery of Zombie Zero,[3] an attack vector wherein deception technology identified an attacker utilizing malware embedded in barcode readers which were manufactured overseas.
Medical devices are particular vulnerable to cyber attacks within the healthcare networks. As FDA-certified devices they are closed systems and not accessible to standard cyber defense software. Deception technology can surround and protect these devices and identify attackers using these for backdoor placement and data exfiltration. Recent documented cyber attacks on medical devices include x-ray machines, CT scanners, MRI scanners, blood gas analyzers, PACS systems and many more. Networks utilizing these devices can be protected by deception technology. This attack vector, called medical device hijack or medjack, is estimated to have penetrated many hospitals worldwide.[4]
Specialized deception technology products are now capable of addressing the rise in ransomware. Select products[5] can deceive ransomware into engaging in an attack on a decoy resource, while isolating the infection points and alerting the cyber defense software team.
History
Honeypots were perhaps the first very simple form of deception. A honeypot appeared simply as an unprotected information technology resource and presented itself in an attractive way to a prospective attacker already within the network. The notion of honeypots deceiving attackers, perhaps delaying and identifying them, and then ultimately supporting efforts to shut down the attack was a good one. Potential benefits aside, most early honeypots exhibit challenges with functionality, integrity and overall efficacy in meeting these goals. Key was the lack of automation that enabled broad scale of deployment. A deployment strategy would seek to cover the enterprise where up to tens of thousands of VLANS must be protected won't be economically efficient using manual processes and manual configuration.
The gap between legacy honeypots and modern deception technology has diminished over time and will continue to do so. Modern honeypots constitute the low end of the deception technology space today.
Differentiation from Competitive/Cooperative Technologies
Traditional cyber defense technologies, such as firewalls and end-point security, generate many alerts. In a large enterprise the alert volume may reach, in some cases, millions of alerts per day. Security operations personnel cannot process most of the activity easily, yet it only takes one successful penetration to compromise an entire network.
Deception technology produces alerts that are the end product of a binary process. Probability is essentially reduced to two values: 0% and 100%. Any party that seeks to identify, ping, enter, view any trap (decoy) or utilizes a lure is immediately identified by this behavior. Anyone touching these traps or lures should not be doing so. This is an advantage over heuristics and probability-based approaches and the many thousands of extraneous alerts these techniques generate.
Best practice shows that deception technology is not a stand-alone strategy. Deception technology is an additional compatible layer to the existing defense-in-depth cyber defense. Partner integrations make it most useful and the goal is to add protection for the most advanced and sophisticated human attackers that will successfully penetrate the perimeter.
Market Size and Adoption
The technical innovation of deception technology been received by the market. An industry analyst identified ten top technologies for information security in 2016, one of which were deception technology.
An industry analyst predicted in August 2016 that the deception technology market is currently (in 2016) approximately $50 to $100 million globally, and further predicted $100 million to $200 million in revenue by 2018. This same analyst earlier noted that, "by 2018 ... 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers". Gartner also noted deception technology as a "far underutilized technology that can provide serious advantages over attackers (cyber attackers)".[6]
Two other important analysts have recently predicted a market size exceeding $1 billion by 2020.[7] Adoption is being fueled, in part, by continued, highly visible targeted attacks on large enterprise and government institutions globally.
Market Research Media estimates the cumulative deception technology market value at $12 billion (2017–2022), growing at about 19% CAGR.[8]
See also
- Cybercrime
- Network security
- Proactive cyber defense
References
- Lawrence Pingree quotes in article: Maria Korolov (August 29, 2016). "Deception technology grows and evolves". CSO Online.
- "Payments Week Issue - go to page 42".
- Marko, Kurt. "How a Scanner Infected Corporate Systems and Stole Data: Beware Trojan Peripherals".
- "The Dangerous State of Medical Cybersecurity". 13 July 2016.
- "TrapX launches ransomware deception tool, CryptoTrap". 25 August 2016.
- "Deception related technology - its not just a "nice to have", it's a new strategy of defense - Lawrence Pingree". 28 September 2016.
- Korolov, Maria. "Deception technology grows and evolves".
- "Deception Cybersecurity Market Forecast 2017-2022". 9 February 2018.
Further reading
- Lance Spitzner (2002). Honeypots tracking hackers. Addison-Wesley. ISBN 0-321-10895-7.
- Sean Bodmer, CISSP, CEH, Dr Max Kilger, PhD, DrPH(c) Gregory Carpenter, CISM, Jade Jones, Esq., JD (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill Education. ISBN 978-0071772495.CS1 maint: multiple names: authors list (link)