Deception Deployment Strategies for the Real World

Friday, September 7, 2018

In nature, deception has been used as both a combat and defense tactic for millennia. The angler fish resides deep in the lightless sea and lures its unwitting prey towards it with an extended dorsal spine - which resembles a fishing pole tipped with a luminous bait. Cyber criminals have been using similar methods – they present an innocent façade to lure victims into clicking nefarious links or downloading shady attachments.

More and more though, the good guys are starting to use the art of deception for defensive purposes beyond the original honeypot concept and intelligent Deception Technology is making this possible. Organizations can now quickly and quietly identify breaches and take careful, well-targeted action to quickly remove the threat – all with the power of a stealthy deception layer and the use of decoys and breadcrumbs. But a deception deployment strategy is not ‘one size fits all’ – rather it’s important to understand what is appropriate for varying environments, risk levels, resources and skills. Understanding these nuances, can help you make the best choice for your organization and maximize the benefits of using the art of deception.

There are a number of key considerations to make when devising your deception strategy (ten in total are recommended in our ebook, 10 Deployment Considerations for your Deception Strategy). For this blog however, we are going to consider three of these in detail.

1. The Environment Consideration

When devising a deception strategy, it’s important to consider the organizations network. Is it a standard corporate networking environment with laptops, desktops, servers, data centers, and enterprise IoT devices? Or is it more complex – with unique systems, software and industry specific networking? Depending on your answer to this question, the overall deception strategy should align.

If your network is relatively standard, a deception solution should be able to automatically map your network, classify assets, and learn activity to create a rich and convincing mirror of the environment.

Alternatively, if your environment is particularly complex – finding a deception technology may be more challenging. Vendors like to say yes to customer requirements however it’s important to find out what is automated and what requires manual effort to create accurate decoys.

2. Considering the Benefits of Automation

For deception to be successful as a post-breach deception, it requires widespread deployment across the entire network, so it covers locations where phishing, social engineering and drive-by attacks are likely result in a foothold inside the network. When developing a deception strategy, it’s key to ask whether the solution can be automatically deployed. If a solution doesn’t offer this, then the manual effort can be vast – especially if the environment is particularly unique (as covered in the above point). As well as asset creation, breadcrumbs and decoys should be placed throughout the environment – and again, if this cannot be automated, you’re looking at some serious man hours. Bear this consideration in mind when devising your deception strategy or risk inadvertently loading volumes of work on your (likely already very stretched) team.  Also, remember deception layers need adaptation to changes in the environment plus freshness cycles to keep them current and effective, another area automation greatly helps.

3. Considering the Need for Breadcrumbs

There are various deception options on the market but not all of them focus on the original decoy or honeypot concept. A modern approach will not only provide decoys, but breadcrumbs also. The combination paints a believable and strikingly realistic picture of the network. An approach that does not include breadcrumbs results in a less realistic environment producing less identifiable activity from a rogue visitor. Since you’re likely to be more interested in reducing dwell time, improving post-breach detection and getting fewer false positive alerts, you should make deception deterministic with breadcrumbs as lures to decoys showing activity and assisting to identify compromised foothold systems.

If you are considering employing deception technology in your organization or are interested in learning more, it’s worth reading our recent ebook - 10 Deployment Considerations for your Deception Strategy to find out about other key considerations that should be made when developing an approach.

 

- Tom Clare
Sr. Manager, Product Marketing