There is simply no all-in-one solution when it comes to security – the growing sophistication of hackers, the combination of human error and internal threats means every network is vulnerable. While many companies are still relying on traditional security methods, such as firewalls and anti-virus solutions, companies need to make sure they are prepared for when (yes, when) a hacker makes it through perimeter defenses, or a rogue employee decides to take data for personal gain.
While security teams are always trying to prevent those attempting to enter an organization’s network, they are all too often left helpless if the intruder makes it through undetected. Once a hacker gets into a network, it often takes weeks, months or years for an organization to realize what has happened and properly assess the damage. At this point, damage control is the only option. However, with deception technology a breach doesn’t have to mean “game over,” organizations are able to get back the upper hand once the attacker or malware has entered the network.
Per the name, deception technology is all about deceiving the intruders so they are unable to find what they are looking for – which in most cases is sensitive data that can be sold or used for monetary gains or encrypted data that demands ransom (ransomware). While the basics are easy to understand, the below breaks down the three processes that make up deception technology: trap, monitor and deceive.
- Trap: Creating a bait to lure them in
Deception technology confuses hackers into accessing decoys inside the organization’s network. These decoys mimic servers, endpoints and devices in the organization. But, how do they trap the hackers into the decoys? When hackers enter an organization, they start looking for valuable information, including cookies, passwords, emails with credentials and account names and passwords. Deception technology plants fake information on these assets that lead the intruder into the decoy systems. An advanced deception solution learns the landscape of the network and strategically places the traps in the areas most saturated with data to lead the hackers to the decoys and away from the sensitive information.
In order for the traps to work properly, they must blend into the network assets, be non-intrusive and make it impossible to differentiate between them and the real data. The challenge is to lure the attacker into the traps, while ensuring the actual user of the asset does not touch the planted decoys. Once attackers make use of the trap and lands on a decoy, they will continue to engage with it, thinking they are getting closer to the information they want, while in reality they are trapped in a mock network that is being carefully monitored by the security team.
Based on the learning of the network and the traffic monitoring, these decoys will begin to match the assets in the network, as well as adapt themselves to the activity of the attacker and respond accordingly. As the decoys detect changes in the organization’s environment, they add traps and applications to adjust accordingly.
- Monitor: Getting a bird’s eye view
What makes deception technology so adaptable and accurate is the ability to constantly monitor the network. While hackers continue to take the bait, they begin to leave a trail outlining their path on the network – a footprint of actions that gives the security team insight into the hacker’s every move. Security teams are able to study the methods used and proactively map out which decoys were most enticing.
With detailed forensics, the security admin has the ability to closely monitor the intruders in a closed environment – made up of decoys and traps – providing insight and relevant data on their purpose of entering the network and how they planned on retrieving the desired information based on their interaction with the decoy system.
With this information at hand, security teams can identify the behavior of an intruder that is harder with other forms of cyber defenses, as well as expose network blind spots that allowed the intruder in. And, the visibility into the intruder’s actions on the network make stopping the damage easier. In fact, according to the Ponemon Institute 76 percent of organizations credit lack of visibility as biggest remediation of advanced threat attacks. The more visibility, the better.
The longer the security team monitors hackers, the more information available to stop them in their tracks. The information gained during the interaction can be shared with other security tools in order to enrich the organization’s threat intelligence. As intruders continue to engage with the decoys, security team can begin to plan how to defeat them. The more they learn, the easier it is to defeat the threat – it’s as if the student becomes the master.
- Deceive and Detect: Exposing the hacker quickly and efficiently
In the end, the goal is to properly detect the intruders – slowing down movement in the organization until they are completely stopped. While the traps and decoys confuse and deceive the hacker, the damage is not completely prevented unless the hacker is detected and stopped in its tracks.
Once the infiltrators are trapped, the security team can lock down their network, patch any areas needed and ensure that the hacker isn’t able to compromise the system. The more insight the security team has, the quicker they can prevent damage and catch the perpetrator. As cyber threats continue to increase and become more sophisticated, speed is a must when protecting a network.
Today’s threat landscape requires a proactive approach to cybersecurity, and deception technology, which can work within an existing security posture, should be a part of every organization’s security armor. By having the tools to trap, monitor and learn, and finally deceive and defeat intruders, security teams can ensure that their data will remain safe and that they have the insight needed to continuously improve their network security against evolving threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.