The number of threats organizations face continues to go up. Attacks grow more sophisticated and target more widely. Current security tools are very good at flagging up anomalies but not so good at defining their impact and risk potential. The result is a hailstorm of alerts, most of which need to be investigated by security teams despite the vast majority of them being benign. Resources are expended wastefully assessing false positives, while real and present threats can be missed.
Security Researchers are developing new approaches that are both more effective at capturing breaches, and less expensive to implement and manage. One of such technology is deception technology based on concept is as old as Sun Tzu’s maxim that ‘all warfare (is) based on deception’. On the modern IT battlefield, security teams have the ability to create false targets to attract a hacker’s attention. These fakes are then monitored so that anytime a hacker takes the bait, the security team is alerted. The advantage of this approach is that only high-confidence network alerts are generated – as any interaction with a decoy asset on must be a serious anomaly.
By creating lures for hackers rather than sifting through thousands of possible breaches, security analysts swamped with incident reports can zeroin on cases of actual, ongoing infiltration. Fake assets include traditional honeypots, but also a new class of distributed decoys installed on servers and endpoints. Honeypot software is installed on the server and then connected to the network. Hackers scanning for vulnerabilities find it, ‘break in’ and run their malware
The aim of deception technology is to prevent a cybercriminal that has managed to infiltrate a network from doing any significant damage. The technology works by generating traps or deception decoys that mimic legitimate technology assets throughout the infrastructure. These decoys can run in a virtual or real operating system environment and are designed to trick the cybercriminal into thinking they have discovered a way to escalate privileges and steal credentials. Once a trap is triggered, notifications are broadcast to a centralized deception server that records the affected decoy and the attack vectors that were used by the cybercriminal.
When the outer wall is breached and prevention systems fail, deception provides an efficient way to continuously detect intrusions without requiring additional IT staff to manage it. By altering the asymmetry of an attack, deception technology frees security teams to focus on real threats to the network.
That’s why interest in deception technology is also on the rise. According to research firm Technavio, the global deception technology market is growing at a compound annual growth rate of nine percent, and may reach $1.33 billion USD by 2020. Deception technology has typically been the preserve of governments and major banks. It’s now broadening its reach into other sectors
Characteristics of Deception technology
Early Post-Breach Detection
No security solution can stop all attacks from occurring on a network, but deception technology helps to give attackers a false sense of security by making them believe they have gained a foothold on your network. From here you can monitor and record their behavior secure in the knowledge that they can do no damage on your decoy systems. The information you record about attacker behavior and techniques can be used to further secure your network from attack.
Reduced False Positives and Risk
Dead ends, false positives and alert fatigue can all hamper security efforts and put a drain on resources if they are even analyzed at all. Too much noise can result in IT teams becoming complacent and ignoring what could potentially be a legitimate threat. Deception technology reduces the noise with fewer false positives and high fidelity alerts packed full of useful data.
Deception technology is also a low risk as it has no risk to data or impact on resources or operations. When a hacker accesses or attempts to use part of the deception layer, a real and accurate alert is generated that tells admins they need to take action.
Scale and Automate at Will
While the threat to corporate networks and data is a daily growing concern, security teams rarely get an increase in their budget to handle the deluge of new threats. For this reason, deception technology can be a very welcome solution. Automated alerts eliminate the need for manual effort and intervention while the design of the technology allows it to be scaled easily as the organization and threat level grows.
From Legacy to IoT
Deception technology can be used to provide breadcrumbs for a vast range of different devices, including legacy environments, industry-specific environments and even IoT devices.
The Importance of Dynamic Deception
One of the most important requirements for successful deception technology implementation is that it must stay indistinguishable and fresh to the attacker. If the attacker suspects they are being deceived they will do what they can to evade traps and scale up their efforts in getting to your real assets.
Many deception security solutions have machine learning and AI built into their core. These features not only ensure deception techniques are kept dynamic but also help to reduce operational overheads and the impact on security teams by freeing them from constantly creating new deception campaigns.
Staying One Step Ahead Inside and Out
Deception technology may be a relatively new kid on the security block, but it offers more accurate and faster detection of attackers and creates no false positives. Threats to your infrastructure exist externally and internally. Insider threats are on the rise and present a very real danger to the integrity of your systems and data. Forcepoint’s Insider Threat solution provides active threat mitigation and threat protection and full visibility of user actions.
CSIRO’s Data61 and Penten hatch AI based cyber security ‘deception’ tech
CSIRO’s Data61 has inked a major research project with cyber security firm, Penten, to build AI-enabled cyber security defence technology, better known as ‘deception’ technology that includes cyber traps and decoys.
The Cyber Security Cooperative Research Centre (CSCRC) struck the research project between CSIRO’s Data61, the data and digital specialist arm of Australia’s national science agency, and Penten, in a bid to extend Australia’s sovereign advantage in autonomous and active defence.
The project will provide Penten with access to Data61’s AI research expertise. The research will focus on extending Penten’s work on applying AI to turn the tables on cyber attackers, using deception technology like ‘cyber traps’ and ‘decoys’, part of an emerging category of cyber security defence.
Penten CEO, Matthew Wilson, said the company has been exploring how to fight back against cyber attackers by interspersing decoy computers and data amongst real assets. “Because they don’t have any real value, the decoys act as digital tripwires. We discover the attackers and learn more about them by capturing their actions, observing what they choose to interact with and placing homing beacons in the decoys.
“Cyber traps work best if the content is realistic, enticing and does not interfere with legitimate users. Making these cyber traps by hand and optimising for these requirements is very time consuming for cyber defenders.
“Our solutions use artificial intelligence to learn the patterns of activity and content from surrounding computers and data. We then use this information to create realistic and believable mimics. This means we can deliver suitable content extremely efficiently, tailored to a customer environment and with minimal effort on the part of the defender,” Wilson said.
Penten has developed AI tools that generate and update decoy and trap documents, military radio communications, Wi-Fi access points and active network hosts.
Dr Surya Nepal, senior principal research scientist at CSIRO’s Data61 and security automation and orchestration team leader at CSCRC said the partnership could help Australia create new technologies that can reach global scale. “As cyber threats increase in volume and sophistication, AI and machine learning offer an opportunity to assist overwhelmed human defenders and speed up decision making and response. It also allows us to deliver more agile defences in a way that we were not able to before.