One of Sun Tzu most quoted phrases in The Art of War states; “All warfare is based on deception.“
Sun Tzu was not in cybersecurity.
99% of the defence against hackers has nothing to do with deception. It’s about making things too difficult to be worth attacking in the first place. Very few of you reading this are ever going to be the specific target of a state-sponsored agent, or an organised crime ring. Threats to you will therefore be mostly opportunistic in nature. Bad guys are lazy, make things difficult and they will usually move on pretty quickly.
On the other hand, expose something to an opportunistic hacker that looks easy to break, and you will have his/her attention. You would not have had their attention otherwise. To make it worse, when they find out that they have been deceived, you have done the worst thing imaginable. You’ve pissed them off.
Now it’s personal, and for a hacker, this means they will be patient. Very patient.
This is bad.
So What is Deception Technology?o
According to TechTarget a deception technology is a; “category of security tools and techniques that is designed to prevent an attacker who has already entered the network from doing damage. The technology uses decoys to misdirect the attacker and delay or prevent him from going deeper into the network and reaching his intended target.”
You’ve already failed to detect the intruder through your other security controls / technology, so you should buy another tool to slow them down?
Even the very far from perfect PCI DSS has enough security controls defined to make breaches difficult enough. From hardening standards, to encryption, to access control, to FIM, to penetration testing, very few organisations need more. The issue is not the number or even type of controls in place, it’s the complete inadequacy of their implementations.
Why Deception Technology is a Horrible Idea
As far as I’m concerned, it should be possible to assume any organisation that implements deception technologies has or is:
- …completely optimised their security program – because why would you try to deceive before you’ve done your best to prevent, or detect with existing controls?;
- …the in-house expertise to perform the function – because who in their right mind would buy Deception-as-a-Service?;
- …ridiculous amounts of money to spend on cybersecurity toys – because even open source tools have a corresponding resource cost;
- …happy to draw the attention of the bad guys – because hackers hate a challenge, right?; and
- …a security chief who wants to be fired – because why else would they waste their time and the company’s money on something so pointless?
If you accept that you shouldn’t buy technology until your risk assessment process highlights a relevant functional gap, then consider this; In 15 years of performing security assessments at organisations both large and small, I have NEVER seen the need for deception technology. Never. Governance, yes. Policies and Procedures, absolutely. Incident Response, without doubt. Deception Technology, not even on the radar.
You Won’t Get Fired for Doing the Basics
Finally, every blog I have ever written harps on about the exact same thing; back to basics. If you were doing the established cybersecurity processes correctly, deception technologies would not be necessary. Every aspect of your security program must focus on baselining your environment to a known-good, and reporting exceptions. Nothing more.
But risk assessments, vulnerability management, change control, asset management etc are just not sexy enough to sell. If it’s not shiny and has a fancy new name, vendors can’t get a foot in the door. Demand generation is ruling the day, and only the vendors are seeing the benefit.
It’s not their fault though, you’re the ones buying their snake oil.
[If you liked this article, please share! Want more like it, subscribe!]