Illusive Blog May 25, 2017

Deception Technology vs. Honeypots: Deception Wins

By Beth Ruck

We see it every day. There’s a widespread misunderstanding about the differences between deception technology and the traditional honeypot method of detecting cyber attackers. Honeypot tactics and deception technology are significantly different—from their underlying basic premise to their levels of effectiveness. Here’s how they differ.

1. Completely opposite basic premise

Honeypot tactics are designed using the logical view of the organization’s infrastructure. The honeypots are deployed as decoys around valuable targets to try and divert attackers. However, by the time an attacker encounters the honeypot, he is already deep inside the network.

Attackers view an infrastructure as a social map. Once they ascertain where they land in the network, they view adjacencies and relationships between resources to decide on their next move. Illusive’s deception technology is designed from the attacker’s perspective and identifies the attack early. This shift in perspective gives you a vast advantage in threat situations, which have always overwhelmingly favored the attacker.

2. Attract vs. entangle

Success with honeypots relies on capturing attackers’ attention and motivating them to move to the honeypot destination. That means you must first get an attacker to a honeypot before you can study—and stop—them. In the meantime, they can be present in the network for months, exfiltrating data and causing damage.

Illusive deceptions are pervasive in the network and mirror the actual infrastructure. Instead of hoping to attract an attacker to a destination, Illusive entangles an attacker in deception almost immediately after they gain access to a network (e.g. via endpoints which are usually the first engagement post breach), without the attacker realizing it. Organizations now can engage the adversary on “Patient Zero.”

3. Limited scalability vs. automated scalability

You could increase the number of honeypots deployed across your infrastructure to increase the likelihood of trapping an attacker. However, that approach quickly gets costly and complicated. If you have 500 machines and want 50% coverage, you would need to add 500 new machines and IP addresses, not to mention the licenses and human resources to manage them all. Even with automation, this approach burdens the network and staff and delivers no better rate of attraction.

Illusive deceptions are deployed across the entire infrastructure and can be scaled almost instantly because the technology is agentless. Deceptions automatically deploy as the infrastructure scales with almost no overhead for IT or the network. With the illusive’s Deception Management Server™ (DMS) deceptions also are tailored to each asset encountered in the network so that the organization deploys the best, most reliable set of deceptions for each machine or user, significantly increasing chances to detect an attacker.

4. Increased false positives vs. near-0 false positives

Honeypots must be chosen as a destination by an attacker. While they exist on the network, end users often encounter and interact with the decoys, which increases false positives.

Illusive’s deceptions poison data on every endpoint for 100% coverage, but are hidden from users. Because they are only exposed to an attacker, false positives are eliminated and every alert is a genuine threat.

5. Imitation vs. authenticity

Honeypots are crafted with data or attributes that the organization thinks will attract an attacker. However, decoys should  be both interesting and demonstrate believable interaction with an attacker. Attackers look for specific characteristics, which enable them to successfully avoid honeypots or sandboxes. If anything looks a little “off” they will leave it alone.

Illusive’s deceptions are authentic and change over time. They’re created with the same attributes and realities of the endpoints, servers, data, application and surrounding network environment where they’re deployed. No two computers or users’ deceptions will be the same—even within the same environment. Attackers cannot determine what is real and what is deceptive.

Moreover, the deceptions are orchestrated to constantly change over time, playing an essential role in tricking hackers performing an APT as they learn the environment and perform repeated actions. Continual changing of deceptions also prevents returning attackers from using previously harvested information about the network they are breaching, further delaying their execution to move laterally across the network.

6. Delayed threat response vs. immediate threat response

With honeypot tactics, the organization’s security team had to hope that the attacker interacts long enough with the honeypot for them to sort out high numbers of false positive alerts coming from multiple machines. This significantly delays an effective response.  Furthermore, as the attacker is already deeper in the organizational network, the security teams tend to be extremely alarmed at this point, often causing wrong decisions.

With Illusive’s deceptions, the security team knows the minute an attacker engages a deception early in the attack’s life. This gives them more response choices and a clear path for remediation.

7. Useful forensics (maybe) vs. instant forensics from source of attack

Forensics can only be gathered at the honeypot decoy itself, which delivers no insight into the source machine or previous behaviors.

Illusive’s deceptions deliver an instant forensic snapshot on the source machine while the attacker is engaged. They continue to deliver data as the attacker tries different methods and avenues.

8. Technology-focused vs. human-focused

Honeypot tactics have been around a long time and were designed on assumptions about machine and technology capabilities.

New deception technology turns the tables on attackers because it’s designed around the way that humans respond to new situations or environments. When an attacker lands in a network, he asks two questions

  • Where should I go next? (assets)
  • How can I get there?  (credentials or exploits)

Only after those are answered he makes the next lateral move. When Illusive’s authentic deceptions are deployed the answers to these questions create a deceiving reality the hacker acts upon.  This unknowingly leads the attacker to a trap server instead of real assets he would ideally target. With numerous deceptions around him, the attacker typically makes incorrect decisions—causing him to engage with deception and become disoriented, although he doesn’t realize it. At the same time, he is discovered but doesn’t know it. Automated forensic responses track his path and activities, giving organizations valuable data for stopping and remediating an attack.

Learn More about Deception