Computing Profession

Tactical Deceit

A growing number of companies is using deception technologies to protect themselves from hackers.
Deception technology has evolved from honeypots to more sophisticated systems that can track intruders' movements.

A game of chess, cat and mouse, camouflage, and security by obscurity – just some of the words and phrases used in the security industry to describe deception technology that uses fake but believable IT infrastructure elements to act as decoys.

If the decoys are well-designed and deployed, they will attract a system attacker, raise an alert, and deflect damage to an organization's real assets. Similarly, fake infrastructure can be seeded with counterfeit information and data that looks appealing to an attacker.

The concept of deception technology is not new, with honeypots (often one decoy computer or server deployed in a CD-ROM drive) going back a couple of decades. Honeypots evolved into honeynets, a collection of honeypots made to look like a normal network. More recently, honey user credentials were developed to create a fake user, leak the information to underground systems such as the dark web, and raise an alert if someone attempted to use the credentials to log into a system.

While these decoys went some way towards discovering potential hackers and worked inside perimeter security technologies such as firewalls, they could not be scaled quickly or changed on the fly. They also lacked diversity, flexibility and effective camouflage.

Carolyn Crandell, chief deception officer at Attivo Networks, says, "In the past, security was set up to prevent bad guys getting in. Today, in an environment of AI (artificial intelligence) and quantum computing, these preventative systems can't keep up, however tall the walls and deep the moats."

Modern deception technology sits inside an organization's IT infrastructure and takes a proactive approach to resolving such problems. Corey Nachreiner, chief technology officer at Seattle, WA-based network security vendor WatchGuard Technologies, explains, "Deception technology acts like a canary in a coal mine, warning you of cyber danger. If you put technically pointless decoy servers on your internal network, theoretically no one should ever touch them. But if the decoy infrastructure is made to be easily discovered by typical network scans and attack reconnaissance, the decoys will show up immediately and be the first thing malicious hackers might 'touch'. So, any connection or communication to decoy warning systems is like a dead canary; it's an alert telling you that an attacker has or is about to breach your network."

The number of vendors offering deception technology solutions and services has increased significantly over the past few years, with frequently cited names including Attivo Networks, Acalvio Technologies, Illusive Networks, Ridgeback Network Defense, TrapX , WatchGuard Technologies, and Yellow Canary.

Nachreiner says, "The theory is that, in a breach, the adversary will waste all their time targeting and exfiltrating the decoy network and data, leaving your real infrastructure and data safe, and informing you of the compromise."

While most vendor solutions follow this theory, some offer only end-point deception that will challenge an attacker coming in through the application layer or other end-point devices, while others offer more complete coverage.

Ram Varadarajan, co-founder and CEO at Acalvio Technologies, describes the need in any IT infrastructure attack to be able to detect the attack; engage with it to understand its tactics, techniques and procedures, such as lateral movement efforts, accounts compromised, and goals; and respond before the attacker reaches their objective by using automated intelligence to devise a response strategy.

The speed at which this can be done contributes to how well the environment is protected. Density of deception in terms of decoys is also key, with more density also providing better protection. In sum, Varadarajan says, "The need is for speed and precision."

Decoys can range from machines to databases, apps, networks, and more, and can be augmented with breadcrumbs, bait, and lures that lead attackers to them. To be effective, they need to run real software rather than emulated software to provide a golden image of what is running in the enterprise.

Using additional machine space to host decoys, often in hundreds of thousands, however, would be costly. Acalvio has industrialized deception technology to make it usable in the corporate environment. Such solutions avoid the cost of scaling deception technology using physical decoys by using software images of actual IT assets. The company's solutions include a deception farm storing virtual decoys that can be dynamically projected into a client's premise and/or cloud computing environment. Decoy counts can be changed programmatically to avoid running too many or too few, and decoys are contained so they cannot be used as launch pads for attackers. Fluid deception gradually escalates the level of interaction of a deception decoy as needed.

Attivo follows a similar approach and uses the projection concept, although it projects actual rather than virtual systems into client architecture. It describes its solutions as providing 'eyes inside the network' and most recently added a solution for active directories to its suite of protected attack surfaces.

Describing the potential of deception technology, Crandell outlines a case study of a healthcare customer that couldn't figure out how 60 of its 2,000 systems were taken down. Using deception technology, it could stop the attack, study it, and take control. Without the technology, it is likely that all 2,000 systems would have been lost.

Crandall notes other benefits of the technology include the ability to catch threats early, to pick up polymorphic attacks quickly, to reduce time spent on triage, and to cut the amount of time hackers 'dwell' in systems.

According to a report based on a survey of 208 respondents and published in 2019 by boutique consultancy Enterprise Management Association (EMA), "A Definitive Market Guide to Deception Technology," deception technology can reduce average dwell time (the amount of time an attacker is in the IT environment before being ejected) from 78 to 100 days to five and a half days. It can also provide a better idea of what attackers are trying to do, allowing users to improve their defenses.

Paula Musich, a research director at EMA and author of the report, says, "The difference in dwell time is huge. Attackers can be detected faster and shut down before any real damage is done." The report also found that the cost of deception is not prohibitive as vendor solutions are generally highly automated and easy to deploy and manage.

What about the million-dollar question: can deception technology be hacked? Chris Roberts, chief security strategist at network security service provider Attivo Networks and a renowned professional hacker, says, "People are looking at it and there are countertechnologies and tools trying to understand whether they are on a real or camouflaged system, but they have not proved effective yet."

Sarah Underwood is a technology writer based in Teddington, U.K.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More