Deception Technologies

Deception Technology: Only if You’re TRYING to Get Fired!

One of Sun Tzu most quoted phrases in The Art of War states; All warfare is based on deception.

Sun Tzu was not in cybersecurity.

99% of the defence against hackers has nothing to do with deception. It’s about making things too difficult to be worth attacking in the first place. Very few of you reading this are ever going to be the specific target of a state-sponsored agent, or an organised crime ring. Threats to you will therefore be mostly opportunistic in nature. Bad guys are lazy, make things difficult and they will usually move on pretty quickly.

On the other hand, expose something to an opportunistic hacker that looks easy to break, and you will have his/her attention. You would not have had their attention otherwise. To make it worse, when they find out that they have been deceived, you have done the worst thing imaginable. You’ve pissed them off.

Now it’s personal, and for a hacker, this means they will be patient. Very patient.

This is bad.

So What is Deception Technology?o

According to TechTarget a deception technology is a; “category of security tools and techniques that is designed to prevent an attacker who has already entered the network from doing damage. The technology uses decoys to misdirect the attacker and delay or prevent him from going deeper into the network and reaching his intended target.

You’ve already failed to detect the intruder through your other security controls / technology, so you should buy another tool to slow them down?

Even the very far from perfect PCI DSS has enough security controls defined to make breaches difficult enough. From hardening standards, to encryption, to access control, to FIM, to penetration testing, very few organisations need more. The issue is not the number or even type of controls in place, it’s the complete inadequacy of their implementations.

Why Deception Technology is a Horrible Idea

As far as I’m concerned, it should be possible to assume any organisation that implements deception technologies has or is:

  1. …completely optimised their security program – because why would you try to deceive before you’ve done your best to prevent, or detect with existing controls?;
  2. …the in-house expertise to perform the function – because who in their right mind would buy Deception-as-a-Service?;
  3. …ridiculous amounts of money to spend on cybersecurity toys – because even open source tools have a corresponding resource cost;
  4. …happy to draw the attention of the bad guys – because hackers hate a challenge, right?; and
  5. …a security chief who wants to be fired – because why else would they waste their time and the company’s money on something so pointless?

If you accept that you shouldn’t buy technology until your risk assessment process highlights a relevant functional gap, then consider this; In 15 years of performing security assessments at organisations both large and small, I have NEVER seen the need for deception technology. Never. Governance, yes. Policies and Procedures, absolutely. Incident Response, without doubt. Deception Technology, not even on the radar.

You Won’t Get Fired for Doing the Basics

Finally, every blog I have ever written harps on about the exact same thing; back to basics. If you were doing the established cybersecurity processes correctly, deception technologies would not be necessary. Every aspect of your security program must focus on baselining your environment to a known-good, and reporting exceptions. Nothing more.

But risk assessments, vulnerability management, change control, asset management etc are just not sexy enough to sell. If it’s not shiny and has a fancy new name, vendors can’t get a foot in the door. Demand generation is ruling the day, and only the vendors are seeing the benefit.

It’s not their fault though, you’re the ones buying their snake oil.

[If you liked this article, please share! Want more like it, subscribe!]

4 thoughts on “Deception Technology: Only if You’re TRYING to Get Fired!

  1. I’m going to have to take a different position on this. Sometimes you know you are not fully protected due to budget or political difficulties and neither are ever going to get resolved. Yet you still need to detect whether you’ve been broken into or you need to detect malicious insiders.

    Your management has made the business decision to accept that amount of risk, whether you think it’s right or wrong, and it’s your job to work within those limitations or move on.

    So you hang a couple of boxes in strategic places and if anyone even touches them you know you have a problem. I’ve done this everywhere I’ve worked in IT security and it hasn’t cost very much money. Simple Linux boxes with highly restrictive iptables rules to detect any unexpected inbound or outbound traffic, especially ping, work very well. This “low tech” routinely picks up internal pen tests a day or two before the expensive stuff. As soon as someone starts to map the network they’re caught because a single ping will generate a high-priority alarm. As soon as malware or insiders start scanning the local subnet for lateral movement they’re noticed.

    If you don’t want to build it yourself, TrustedSec/Binary Defense has a free open source product ready-made for this:

    PCI-DSS does not have adequate controls because it does not apply to the entire network unless it’s a flat network and it only applies if you handle card data. Manufacturers generally don’t. Go after intellectual property or customer data or employee direct deposit configurations and leave the card data alone and you’ll probably romp freely through the network. As more companies go the iframe route for online ordering, PCI’s technical controls will apply to less and less companies outside of a few servers.

    If nothing else, the use of low-cost “deception technology” can help convince people that additional work is needed. It also provides a backup control for everything else you think you have in place for detection and that’s important to me.

    • Fair comment, and interesting take. You are still working in a world where the basics are ignored, and few of these require significant budget. If your biggest fear is insider threat, then your recruiting, background investigations and onboarding are lax. If your people can install software on their on their PCs/laptops or hardware on the network then you have significant gaps in everything from configuration standards to logging and monitoring.
      If all you can afford to do is wait for someone to do something bad then react to it, why are you still working there?
      The PCI controls are a bare minimum set that should be around EVERY system. Just because the DSS only applies to in-scope systems does not mean organisations should only protect those. While the DSS to wholly inadequate as it stands, it’s more comprehensive than most security programs I’ve seen in place.

  2. I have to respectfively disagree with David Froud. As the cyber security market is rapidly changing and drastically evolving from inefficient signature based solutions, inadequate in side of the network threat detection and response tools and record number of cyber breaches on a daily basis make the deception technology an optimum method of detection and response because it captures the perpetrator when he attempts to make one mistake. Deception has turned the table 180 degrees against the cyber hackers. The hackers used to be right only one time to enable them to bypass the perimeter prevention tools and get a foothold inside the network where now the hacker have to make only one mistake inside the network to be captured and eventually shut down. Great value proposition.

    • Thanks for your comments Ray.

      With regard “it captures the perpetrator when he attempts to make one mistake”, so does proper access control, logging and monitoring, FIM, and whole host of other things that work with existing technology (firewalls, SIEM etc.). The issue for my perspective is that NONE of these things are configured correctly, and the processes around them are almost non-existent. Why would a badly configured deception technology and a poor incident response process make any difference?

      I’m not against deception technologies per se (defence in depth and all that), but no technology ever invented can fix stupid.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.