Cyber security deception is a defense practice that aims to deceive attackers by distributing a collection of traps and decoys across system’s infrastructure to imitate genuine assets.
Aim of deception is to
prevent a cyber criminal that has managed to infiltrate a network from doing
significant damage.
Deception technology is
a simple but effective approach to build security defenses that detect threats
early with minimal performance impact on the network.
Decoys are realistic
but fake assets (domains, databases, servers, apps ,files, credentials etc)
Decoys are deployed
along legitimate assets. If an attacker breached the network, there is no way
to differentiate the fake from real. The moment attacker interacts with a
decoy, a silent alarm is raised and systems collect information on the attacker’s
actions and intent.
Advantages of Deception
Technology
The advantages of
deception technology are:
1. Improved Threat
Detection
‘periscope events’ — a
behavior that, when detected, clearly indicates that an attacker is in the
network. Deception’s periscope events highly accurate, but with broad threat
coverage.
2. Business Risk
Awareness
Deception is aligned
with the current business threat perception. For example, a company can create
deception around that product launch, aligning security controls tightly to
areas where the organization perceives risk.
3. Greater Coverage
Deception can be
applied across the enterprise, including environments that are often neglected blind
spots.
Deception can detect
threats at the perimeter, the endpoint, the network, Active Directory, and
application layers, as well as offer coverage to more neglected environments
such as IoT, and cloud.
Deception also covers
the entire kill-chain; from pre-attack reconnaissance to exploitation,
privilege escalation, lateral movement, and data-theft / destruction.
4. Extremely Low False
Positives
False positives cripple
security team productivity. Deception has an intrinsic low false-positive
property.
Most behavior-based
systems try to establish a normal baseline and then classify any activity above
the baseline as anomalous; this leads to a number of false positives. Deception
establishes a zero-activity normal baseline, where any activity at all is
worthy of investigation.
5. Orchestrated
Response
Orchestrated /
automated response is most useful only when the trigger event is 100% certain.
Plenty of orchestration tooling is being built, not many real-world
transformational orchestration use cases exist because there are very few
alerts that are 100% certain.
In terms of containment
/ response use cases, deception alerts can integrate with:
- Network Access Control to
Quarantine a compromised asset
- Web gateways to disable the
compromised asset’s Internet access, block phishing sites identified by
email decoys.
- Endpoint protection to kill a
suspicious process or quarantine the endpoint
- Directory Services / Identity and
Access Management to disable the user’s account, change a password, and
enable/enforce two-factor authentication
- Firewalls to dynamically deny access to network
segments
Deception technology
provides security teams with a number of tactics and resulting benefits to
help:
- Decrease attacker dwell time on
their network
- Expedite the average time to detect
and remediate threats
- Reduce alert fatigue
- Produce metrics surrounding
indicators of compromise (IOCs) and tactics, techniques, and procedures
(TTPs).
No comments:
Post a Comment