Deception Security: Modern Maturity for Automated Detection and Response

Thursday, January 11, 2018
Deception Technology

Deception is becoming a critical part of organisations' security infrastructure. According to Gartner, the need for better detection and response is creating new opportunities for security stack automation, integration, consolidation and orchestration, while also driving the emergence of new segments like deception.

These trends set up the perfect match of deception and automated detection and response, or ADR.

The Main Goals of Modern Deception are to:

  1. Detect the presence of attackers in internal networks
  2. Thwart, confuse and delay an attack-in-progress
  3. Provide visibility into the attackers’ activities, goals and tactics

Following the compromise of assets in an organisation, attackers start their reconnaissance phase. They search affected assets for valuable information and clues about where desired data lives in the environment. Attackers look across endpoints, networks and different devices as they try to move laterally throughout the environment. The deception layer intervenes in this reconnaissance phase, luring and deceiving the attackers detecting their activities very early in the kill chain before damage is caused to the organisation and before the attackers can reach their objective.

When done properly, deception has clear advantages :

  • Zero False Positives: With no false positives, the security team does not have to invest endless time in analysing false events. Every deception alert is a conclusion that warrants immediate response
  • Detection and Response Automation: The accuracy of a deception layer enables various  automatic responses, as the security team are not worried of stopping legitimate users’ activities in the organisation. This reduces the operational costs and increases the efficiency of the security team
  • Insider Threat Detection: While commercial ATD and IPS/IDS focus on finding and flagging malware, deception provides insider threat detection. Since deception systems deploy as invisible to employees, immediate follow up is mandated when a deception node, decoy or trap is tripped by an otherwise appropriately credentialed and provisioned staff. immediate follow up is mandated

Automation of Deception Deployment and Maintenance

There are several challenges that need to be handled when deploying deception technology, including:

  • Making the deception components authentic
  • Matching the decoys to resources in the networks, including assets and applications
  • Easy configuration and automatic deployment. Decoys must be easily configured and maintained. Furthermore, the decoy network must be able to adapt to changes in the network environment

Key considerations for effective configuration and maintenance of an effective deception network are listed below. These considerations and challenges are faced by every organisation implementing deception. Only an integrated ADR + Deception solution deals effectively with these:

  • How are the networks laid out and what type of assets, operating systems, applications, and data should be used for the deception?
  • Where should deception in its different embodiments be placed?
  • How should changes in the networks and assets be tracked to allow the deception to adapt to the changes?
  • What infrastructure is required to build the deception?
  • What is the deception coverage? Does the deception cover what it should?
  • Does the resource and expertise to deploy and maintain the deception exist in the organisation?

The right methodology to deal with the above challenges is to deploy and maintain the deception in its various embodiments automatically. No other way will overcome the above list.

Knowing the environment and having visibility is crucial to setting up deception technology. In many cases the security team does not have all the relevant information about the environment, especially when the environment is constantly changing.

Automated Environment Visibility & Analysis

The first step starts by automatically identifying and profiling the networks, the assets, the applications and all other parameters of the environment.

The core management of the deception is made up of analysing the profiled information and using different criteria to define the deception layers that match the resources of the organisation. This creates persuasive decoys that will effectively thwart and confuse attackers.

Automated Decoy Creation

It will then automatically build the deception components, define the right network locations for the deception and distribute the deception in the network, preferably with minimal resources, i.e. one appliance will be able to support multiple decoys on different subnets, running different operating systems and different applications.

As the network and the resources in the organisation are changing, the deception solution will constantly continue the identification and profiling, adapting the deception to match the changes in the organisation.

Automated Deployment

The deception deployment process provides security teams with immense security and visibility ,while supporting both hunting efforts and forensic activities. As part of the visualisation, the solution provides the administrators with a clear view how the deception layers cover and match the resources of the organisation. i.e. what resources the organisation has and how well the deception deployment covers these resources. This is important in order to assess how well the deception already deployed fits the organisation and what actions should be taken in order to complete the deception deployment.

To conclude, by taking an automated approach for deception deployment and maintenance guarantees that the organisation's resources is utilised efficiently and efficiently raising the level of the organisation’s security maturity.

- Doron Kolton
Chief Strategy Officer – Emerging Technologies