Professional Documents
Culture Documents
hello.global.ntt
white paper | The rapid evolution of deception technologies
What is deception technology? vulnerabilities find it, ‘break in’ and run
The concept is as old as Sun Tzu’s
their malware. Security teams receive
an alert that the honeypot has been
75% of respondents
ancient maxim that ‘all warfare (is)
based on deception’. On the modern
accessed and monitor the attack. The said their most
hacker will either attempt to install new
IT battlefield, security teams have the
malware or move on in frustration.
serious attacks
ability to create false targets to attract a
hacker’s attention. These fakes are then If honeypots have a key weakness, it lies entered the network
monitored, so that anytime a hacker takes in the time and effort required to maintain via an email
the bait, the security team is alerted. them. Like any server they need to be
The advantage of this approach is that
configured, patched, and updated. attachment, while
only high-confidence network alerts And in addition to being labor-intensive, 46% also noted
are generated – as any interaction with honeypots can also be a passive line of
a decoy asset on must be a serious defense, relying on attackers to somehow
attacks that started
anomaly. By creating lures for hackers identify them as high-value targets. with users clicking
rather than sifting through thousands Someone also needs to be tasked with
of possible breaches, security analysts closely monitoring each one in order to email links.
swamped with incident reports can zero- quickly react when an attack occurs. SANS Institute,
in on cases of actual, ongoing infiltration. 2017 Threat Landscape Survey
That’s because hackers are getting better
Fake assets include traditional honeypots, at spotting attempts to fool them. Real Sometimes called dynamic deception,
but also a new class of distributed decoys information assets leave an activity trail this emerging category of infosec
installed on servers and endpoints. created by the authorized users who technology often uses a mix of lures to
These new deception technologies mark access them – for example log files and trick attackers, and then refreshes or
a heightened level of aggressiveness browser histories – which become a kind updates them regularly to
in addressing the rise in cyber-attacks. of authentication marker for assets worth maximize confusion.
When the outer wall is breached and stealing. As honeypots generally don’t
The use case for sophisticated deception
prevention systems fail, deception host actual network assets there is no
is to defend against corporate espionage,
provides an efficient way to continuously activity trail to pick up, so smart attackers
or state-sponsored theft of sensitive
detect intrusions without requiring have learned how to avoid them.
political, scientific or military intelligence.
additional IT staff to manage it. Those trails are actually essential for Up to now, it has been used mainly
Deception supplements tools that rely on attackers to move undetected through by national governments, defense,
known attack patterns and monitoring. It a network. Even if they can break into power utility and finance/ insurance
also allows CISOs to capture anomalies an endpoint, the overall topography organizations due to the value of their
that happen on lateral network traffic, remains invisible. Any attempt to locate information assets and the number of
where a breach has previously occurred nearby assets with a port scan can be attacks they receive daily. However, they
but gone undetected (see our recent easily detected with current defenses, so are increasingly being used by enterprises
paper on insider threats).1 hackers need to analyse compromised in other industries due to their ease of
local assets in order to figure out where to deployment, and the lack of in-house
The hacker uses fake credentials to
go next – and how to copy the behaviour security skills required to detect threats
move around the network looking for
of real traffic when they do. By creating moving laterally inside the network.
high-value information.
confusion with false assets, CISOs
While the average length of an undetected can force hackers to spend more time
inside breach is around 99 days2, we have searching for the information they want.
dealt with situations where an actor has This increases the likelihood of detection.
been operating inside a network for up to
Like other security techniques,
six months.
honeypots needed an evolutionary
leap to make deception a cornerstone
The art of deception
of security operations and incident
When people talk about deception response workflow. The latest deception
techniques, they usually mean honeypots, technologies build on the idea of decoys
a technology which has been around for by pointing hackers to fake assets
decades. These are fake servers made to actually deployed on real endpoints –
look like an integral part of the network, including servers and laptops. Attackers
but are really traps set with bait for think they are looking at real folders and
hackers. Honeypot software is installed files, and real credentials left behind by
on the server and then connected to actual users or administrators.
the network. Hackers scanning for
1
NTT Security: The accidental hacker: While malicious employees generate more press, error and negligence are the real insider threats
2
Security Boulevard; Mandiant M-Trends Report 2017
hello.global.ntt
white paper | The rapid evolution of deception technologies
How it works Any ratio of fake assets can be created Some solutions allow attackers to be
on an endpoint, which makes the job engaged during a breach, in order to
The latest deception technologies
for hackers much more difficult, while follow and understand their methods and
allow security teams to install decoys
increasing the likelihood of detecting motives. They can be distracted from
on endpoints, creating a flood of false
the threat. With every move the attacker completing their mission while security
data with cached credentials for user
makes to find the valuable data, the teams assess the method, technology
accounts, browser history and file shares.
probability of stepping on a fake and likely target of the attack.
This is important because although asset increases. The decoys themselves are made to look
attacks come in many variations
When a decoy asset is accessed, security authentic using artificial intelligence,
and styles, the majority start through
teams can learn more about the attacker which analyses common network naming
endpoints – particularly user endpoints.
and the mode of attack. Malware conventions and shared folders to create
According to the SANS Institute’s 2017
analysis is a common additional feature false activity trails that mimic actual
Threat Landscape Survey, 75% of
of deception technologies, augmenting user behaviour.
respondents said their most serious
alerts automatically with an analysis of
attacks entered the network via an email
how an attacker interacted with a
attachment, while 46% also noted attacks
fake asset.
that started with users clicking
email links.
Figure 1: Before and after deployment of deception. Using decoy assets to defend the corporate network enables security teams to
assess the method, technology and likely target of the attack.
Despite these capabilities, hackers still detect anomalous lateral traffic inside investigation and forensics. It also
sometimes identify decoys and mark the network. promises to make the network malware-
them for avoidance. The emergence of In addition to focusing on real threats agnostic, as security teams can focus on
adaptive deception allows security rather than false positives, information the seriousness of a breach rather than
teams to refresh any fake asset gathered using deception technologies the mode of attack.
previously marked by a hacker and set can feed into existing security controls Dynamic deception technologies
new lures to pull them in. and validate or improve current aren’t necessarily suitable for every
prevention tools like EDR, firewalls and organization. Readiness depends on
Paths to enterprise adoption IPS/IDS. Using decoys on endpoints the sensitivity of your operation and the
Growing interest in deception solutions immediately exposes the attacker and partners you are in business with. There
is connected to the larger move towards the tools used in the attack, providing needs to be a level of sophistication in
services like Managed Detection valuable intelligence for more effective your existing network infrastructure in
and Response (MDR) and Advanced planning of protective controls, and order to implement decoys on endpoints.
Analytics. As threats and attacks grow preventing similar breaches in the future.
more sophisticated, organizations need For overstretched security teams,
advanced capabilities that allow them to deception can relieve the need for deep
hello.global.ntt
white paper | The rapid evolution of deception technologies
Disclaimer: The work described in this whitepaper was performed while the company was known as NTT Security.
hello.global.ntt