Deception–part of the security ecosystem or just a marketing buzzword ?

Deception has become a strategic tool across many large organizations in the last 12 months. These organizations have had many tools in their security stacks, and have had to answer the question whether Deception should replace existing controls, complement or incorporate it into the existing security ecosystem. The answer is simple: Deception is an augmentation of existing tools in an organization, providing critical threat intelligence to the ecosystem with early breach detection and high-fidelity alerting.

Before we go on to explain the mission-criticality of Deception, let’s look at things logically. Deception adds a fake layer to your infrastructure by placing decoy (traps) assets, fake data and other artifacts to your current infrastructure landscape. Even from a technology agnostic view, no system or person should ever touch something fake unless it is actively seeking something or there is a misconfiguration.

Further to this, if an adversary or an insider threat engages with a fake asset, having already compromised a real one, then he has bypassed all of your existing security controls. This means the Deception telemetry is a critical part of your situational awareness of the threat landscape, providing you early breach detection. Once you have a single alert from a Deception solution, the question moves from whether additional telemetry is necessary to how you mobilize your incident responders to close off the threat.

Deception technology feeds your existing tools and supports the next phase of security decision making. What to do with the attacker? Contain, Monitor, Mitigate? In making these decisions, additional value is opened to the organization; what can I do with the telemetry or data? Can I use the identified IoCs to query my existing infrastructure and find other assets with the same infection profile?

Can I kill processes to close risk loops and shore up my systems? More than this, a Deception Strategy can support automated SOC workflows that use of Network Access Control solutions to move the adversary away from critical systems, to segments where they are interacting only with decoys. The attackers can perform further recon on the non-production system, while supplying all manner of useful data to the security team about their methods of intrusion.

Finally, by leveraging telemetry from the Deception solution, you can leverage your firewall infrastructure and block malicious IP Addresses associated with the campaign. If an attacker has injected malicious binaries into the system to supply backdoor access, they can be analyzed and fed into the security ecosystem to mitigate Command and Control activity before the attack even starts!

As you can see, Deception based technology uses classical tools already in place in the security landscape and uses them to support workflows and complement the ecosystem that will quarantine and vend off attacks that have slipped under the radar.

By Michael Fabrico