Is it next-generation threat detection? Is it counter-hacking? One thing we know is that it's designed to lure hackers to a replica enterprise environment so that threats can be eliminated. It's deception.
Startups in this niche include TrapX Security, GuardiCore and Attivo Networks, which recently closed a Series C round for $21 million. (See Attivo Goes On the Attack Against Hackers.)
"Why does this company exist? It really boils down to that a perimeter-based defense is just not reliable anymore," Carolyn Crandall, chief deception officer and CMO at Attivo Networks told Security Now. "People can and will get into the network, and over the last couple of years, people are accepting that."
Crandall is adding her voice to a growing number of experts that agree the better strategy is to accept that penetration is inevitable and therefore the focus should be on protecting the data in the network, not erecting a fence.
One of the dangers is that hackers booted off the network can, according to Crandall, easily get straight back in. To counter this, a response at scale is required, and detection and response has become part of the security control stack. But detection is challenged because it's tough to get arms around and decide with limited information what the most virulent threats are.
Threat detection is flawed
Apparently, standard threat detection technologies are flawed because they basically only generate alerts. However, they don't often provide information about the type and techniques of threats, or the tools used; it's challenging to respond by, say, automating quarantine blocking or threat hunting to eradicate an attack.
Attivo lays traps in the network, optimized to encourage the disturbance of decoys by mirroring the existing environment so hackers think they have successfully accessed it. Crandall has seen a shift in the market from three years ago, when companies believed all they really needed was prevention.
"Now people are shifting their budgets, they're adopting detection," she said.
"Decoys can be set up to look like endpoints, servers, POS networks, industrial control fuel sensors, or maybe direct infusion pumps at a hospital," Crandall added. "We can take anything that runs an operating system and we can make the decoy look identical to production assets, by running on their software."
So, if the decoys are identical, how are the odds improved that a hacker will be snared?
Making decoys more pervasive than real network assets improves the chances that a hacker will engage. The decoy environment is not an emulation, but rather uses the same software as the real network, except sweetened, for example, with bogus assets such as honey docs.
Enterprise misconceptions about deception
Enterprises can't be blamed for making assumptions about deception technology, because it's so new.
The first assumption is, if a company is less advanced with its security infrastructure, the belief that deception should be the last thing they would adopt. Typically, these are healthcare organization which have to economize because of small budgets.
Secondly, there's a feeling that integration of deception technology is far from straightforward. Aflack, an Attivo customer, motivated to try deception because it did not want to make headlines from security slips that reveal PI, apparently easily integrated deception into their security controls system for a single view.
"If you had asked me two years ago if anybody would have had deception in their budget, it wouldn't have been [there], and not in their initiative list," Crandall said.
In 2018, the big difference will be that budgets will be earmarked and put into action, with extra incentive that for some firms, it helps with compliance, M&A strategy, is part of an insider threat strategy and/or is part of a supplier management strategy.
Come get me
Is deception encouraging attackers?
The current Active Cyber Defense Certainty Act (ACDC) hacker bill, proposed by Rep. Tom Graves of Georgia, who sits on the House Defense Committee, fundamentally poses the question: "is an eye for an eye" OK, when it comes to enterprises and consumers striking back?
It's unclear if there's the stomach or the expertise for users to "hack back" at attackers and try to retrieve lost data. There are stumbling blocks. Often, enterprises don't have white hackers on staff and would need to look elsewhere for help. Also, attribution is hard, so the chances of attacking the wrong person are extremely high.
"Will they come back at you with greater vengeance?" Crandall asked. The answer is maybe, but she recommends that companies keep their powder dry and use the counter intelligence they gather to fortify their own systems. If there's information for law enforcement, hand it over but don't act on it.
Deception is forecast to grow into a substantial market.
"By 2018, 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers," Gartner analyst Lawrence Pingree wrote in a recent report.
On a Fox5 TV appearance this summer, Crandall predicted that, "If we end up going at the pace we are, we're going to have 1,500 breaches this year (in the US), compared to the 1,100 we had last year. Last year there were 4 billion records stolen."
In Security Now's latest poll, the largest percentage of readers (about 45%) said they would go "on the attack" against hackers.
— Simon Marshall, Technology Journalist, special to Security Now