Deception Security: Modern maturity for automated detection and response
Deception in its various embodiments is becoming a critical part of organizations' security infrastructure. According to Gartner, the need for better detection and response is creating new opportunities for security stack automation, integration, consolidation and orchestration while also driving the emergence of new segments like deception.
These trends set up the perfect match of deception and automated detection and response or ADR.
The main goals of the deception are to:
- Detect the presence of attackers in internal networks
- Thwart, confuse and delay an attack-in-progress
- Provide visibility into the attackers’ activities, goals and tactics
Following the compromise of assets in an organization, attackers start their reconnaissance phase. They search affected assets for valuable information and clues about where desired data lives in the environment. Attackers look across endpoints, networks and different devices as they try to move laterally throughout the environment. The deception layer intervenes in this reconnaissance phase, luring and deceiving the attackers, detecting their activities very early in the kill chain before damage is caused to the organization and before the attackers can reach their objective.
Deception has clear advantages when done properly:
- Zero False Positives: It does not have any false positives and the security team does not have to invest endless time in analyzing false events. Every deception alert is a conclusion that warrants immediate response.
- Detection and Response Automation: The accuracy of a deception layer enables various automatic responses as the security team are not worried of stopping legitimate users’ activities in the organization. This reduces the operational costs and increases the efficiency of the security team.
- Insider Threat Detection: While commercial ATD and IPS/IDS focus on finding and flagging malware, deception provides insider threat detection. Since deception systems deploy as invisible to employees, when a deception node, decoy or trap is tripped by an otherwise appropriately credentialed and provisioned staff, immediate follow up is mandated.
Automation of Deception Deployment and Maintenance
When deploying deception technology, there are several challenges that should be handled. These include:
- Making the deception components authentic
- Matching the decoys to resources in the networks; including assets and applications
- Easy configuration and Automatic deployment. Decoys must be easily configured and maintained. Furthermore, the decoy network must be able to adapt to changes in the network environment.
Key considerations for effective configuration and maintenance of an effective deception network are listed below. These considerations and challenges are faced by every organizations implementing deception. Only an integrated ADR + Deception solution deals effectively with these:
- How does the networks are laid out and what type of assets, operating systems, applications, and data should be used for the deception?
- Where the deception in its different embodiments should be placed?
- How changes in the networks and assets are tracked to allow the deception to adapt to the changes?
- What infrastructure is required to build the deception?
- What is the deception coverage? Does the deception cover what it should cover?
- Does the resources and expertise to deploy and maintain the deception exist in the organization?
The right methodology to deal with the above challenges is to deploy and maintain the deception in its various embodiments automatically. No other way will overcome the above list.
Knowing the environment and having visibility is crucial in order to setup deception. In many cases the security team does not have all the relevant information about the environment, especially that the environment is constantly changing.
Automated Environment Visibility & Analysis
The first step starts by automatically identifying and profiling the networks, the assets, the applications and all other parameters of the environment.
The core management of the deception is analyzing the profiled information and using different criteria to define the deception layers that match the resource of the organization. This creates persuasive decoys that will effectively thwart and confuse attackers.
Automated Decoy Creation
It will then automatically build the deception components, define the right network locations for the deception and distribute the deception in the network, preferably with minimal resources, i.e. one appliance will be able to support multiple decoys on different subnets, running different operating systems and different applications.
As the network and the resources in the organization are changing, the deception solution will constantly continue the identification and profiling adapting the deception to match the changes in the organization.
The deception deployment process as described above provides immense security visibility to the security team supporting hunting efforts and forensic activities. As part of the visualization the solution provides the administrators a clear view how the deception layers cover and match the resources of the organization. i.e. what resource the organization has and how well the deception deployment covers these resources. This is important in order to assess how well the deception already deployed fits the organization and what actions should be taken in order to complete the deception deployment.
Taking the automated approach for deception deployment and maintenance guarantee that the organization's resource is utilized efficiently and efficiently raising the level of the organization’s security maturity.
Doron Kolton is the Chief Strategy Officer -– Emerging Technologies at Fidelis Cybersecurity. Prior, he served as the Founder and Chief Executive Office of TopSpin Security until the company was acquired by Fidelis Cybersecurity. Mr. Kolton has more than 20 years of experience in products and software engineering and management, including leading the software department in Motorola Semiconductor. He specializes in cyber security, real-time systems, hardware/software integration and communications protocols.