Deception Security: Modern maturity for automated detection and response

Deception in its various embodiments is becoming a critical part of organizations' security infrastructure. According to Gartner, the need for better detection and response is creating new opportunities for security stack automation, integration, consolidation and orchestration while also driving the emergence of new segments like deception.

These trends set up the perfect match of deception and automated detection and response or ADR.

Modern Deception

The main goals of the deception are to:

  1. Detect the presence of attackers in internal networks
  2. Thwart, confuse and delay an attack-in-progress
  3. Provide visibility into the attackers’ activities, goals and tactics

Following the compromise of assets in an organization, attackers start their reconnaissance phase. They search affected assets for valuable information and clues about where desired data lives in the environment. Attackers look across endpoints, networks and different devices as they try to move laterally throughout the environment. The deception layer intervenes in this reconnaissance phase, luring and deceiving the attackers, detecting their activities very early in the kill chain before damage is caused to the organization and before the attackers can reach their objective.

Deception has clear advantages when done properly:

Automation of Deception Deployment and Maintenance

When deploying deception technology, there are several challenges that should be handled. These include:

Key considerations for effective configuration and maintenance of an effective deception network are listed below. These considerations and challenges are faced by every organizations implementing deception. Only an integrated ADR + Deception solution deals effectively with these:

The right methodology to deal with the above challenges is to deploy and maintain the deception in its various embodiments automatically. No other way will overcome the above list.

Knowing the environment and having visibility is crucial in order to setup deception. In many cases the security team does not have all the relevant information about the environment, especially that the environment is constantly changing.

Automated Environment Visibility & Analysis

The first step starts by automatically identifying and profiling the networks, the assets, the applications and all other parameters of the environment.

The core management of the deception is analyzing the profiled information and using different criteria to define the deception layers that match the resource of the organization. This creates persuasive decoys that will effectively thwart and confuse attackers.

Automated Decoy Creation

It will then automatically build the deception components, define the right network locations for the deception and distribute the deception in the network, preferably with minimal resources, i.e. one appliance will be able to support multiple decoys on different subnets, running different operating systems and different applications.

As the network and the resources in the organization are changing, the deception solution will constantly continue the identification and profiling adapting the deception to match the changes in the organization.

Automated Deployment

The deception deployment process as described above provides immense security visibility to the security team supporting hunting efforts and forensic activities. As part of the visualization the solution provides the administrators a clear view how the deception layers cover and match the resources of the organization. i.e. what resource the organization has and how well the deception deployment covers these resources. This is important in order to assess how well the deception already deployed fits the organization and what actions should be taken in order to complete the deception deployment.

Conclusion

Taking the automated approach for deception deployment and maintenance guarantee that the organization's resource is utilized efficiently and efficiently raising the level of the organization’s security maturity.

Doron Kolton is the Chief Strategy Officer -– Emerging Technologies at Fidelis Cybersecurity. Prior, he served as the Founder and Chief Executive Office of TopSpin Security until the company was acquired by Fidelis Cybersecurity. Mr. Kolton has more than 20 years of experience in products and software engineering and management, including leading the software department in Motorola Semiconductor. He specializes in cyber security, real-time systems, hardware/software integration and communications protocols.