Illusive Blog August 22, 2019

Next-Gen Deception Technology: Moving Beyond Honeypots

By Daniel Brody

Is it time for the proverbial “Honeypots are Dead” Post?

Returning from Black Hat earlier this month, I couldn’t help but reflect on how honeypots were still the first thing that came to mind when many attendees heard the word “deception.” It’s true that when deception technology first emerged years ago, honeypots were the most analogous technology to describe the way deception worked, in that a honeypot tries to trick an attacker into interacting with it. However, deception has come a long way since honeypots materialized in the 1990s and were first commercialized in the 2000s. Call the new generation of deception technology what you will, just don’t call it a honeypot.

Defining next-generation deception technology begins by specifying what it is not: a dumb, easily fingerprinted, resource-sucking set of pooh-bear traps intended to lure unlucky, unsuspecting, and unsophisticated hackers to their doom.

Next-Generation Deception Technology – Early Threat Detection

Today’s generation of deception technology offers the earliest and most efficient detection of post-perimeter threats, using a set of deceptions ranging from endpoint data all the way to decoys. As defined by Gartner, a Deception Platform includes systems to implement, manage and monitor decoys, tools to create and distribute lures and honeytokens, and methods to subsequently refresh or delete these deceptions. To be effective for detection, deceptions must be inevitable, undetectable, and inescapable.

Let’s Get the Names Straight

As the market has evolved, three general types of deceptions have emerged; full interaction decoys (honeypots), partial or low interaction emulated decoys, and endpoint data deceptions. Let’s take a moment to break these deception categories down into further detail.

Fully Interactive Decoys (née Honeypots)

Fully Interactive Decoys (FIDs) are not meant to detect threats early, and they don’t—at least not very well, and not at all consistently. FIDs exist as hosts on the network—either physical or virtual—and are meant to be attacked and compromised by malefactors. Because they are completely functional systems deployed on the network, FIDs are difficult to distribute widely and are resource-heavy to maintain and implement, so typically a limited number are deployed, meaning the math doesn’t work for a detection use case. Attackers must trip over them or be lured into FIDs, so they don’t rise to the level of “inevitable” or “inescapable” required for detection. Originally intended to allow the defender to observe attacks in progress, FIDs can still serve a place in threat research. However, increasing sophistication and the ready availability of tools such as Honeypot Buster mean that today’s attackers are unlikely to be fooled by a fully interactive decoy for long.

Partial or Low-Interaction Emulated Decoys

Partial or low-interaction decoys use emulation to fool the attacker into attempting to interact with the device. Conceptually, these deceptions are like stage sets. The attacker is “caught” in the act of attempting to break in, but there is nothing on the other side of the door. An example of this type of decoy is a device or application, which emulates the login screen of a mainframe administrator console in extreme detail. When an attacker attempts to log in with stolen credentials, the attacker receives an error message, and the system triggers an alert. Emulations are frequently deployed to protect “untouchable” systems such as medical and IoT devices, and are taking a more strategic role in deception as the presence of IoT technology becomes more widespread. Emulated decoys are typically easier to deploy and support, and are therefore better positioned to be inevitable and inescapable.

Note, however, that trying to judge deception vendors by the number of emulations they support on any given day is a fool’s errand. It is unlikely that any single vendor will be able to provide all the emulations required for the millions of IoT devices being envisioned, so APIs and the ability for partners and customers to craft emulations will likely evolve quickly here. Learn more about how Illusive protects such devices here.

Endpoint Data Deceptions

Endpoint deceptions consist only of static data. When attackers first enter a network, they land on an endpoint. From there, in a process known as “living off the land,” they deploy attack tools to survey the environment and search for legitimate credentials to escalate their privileges and connections to other endpoints and servers. Once discovered, this data is used to maliciously traverse networks.

As a first step in stopping attackers, these valid credentials and connections must be removed from the network. Illusive’s Attack Surface Manager was the first product to introduce this capability to the market. In a recent review of deception technology, SC Media called ASM “simple to rollout” and “incredibly effective;” check out the full report here. This “cleaning” action alone slows or stops an attacker’s ability to “live off the land,” reducing the potential attack surface in a way that would be beyond the scope of typically patch-focused vulnerability management solutions. Deception vendors vary in their approach to this important process, so don’t be fooled by the marketing hype; perform a test in your own environment. Illusive offers a free Attack Risk Assessment, which provides eye-opening data about the current status of your ‘credential and connection’ environment.

The next step in the attack detection process involves placing false information where the attacker is bound to encounter it; for example, placing false credential and connection data in cache memory on the endpoint where only an attacker would find it. Leading vendors offer many different families of endpoint deceptions including files, file systems, email, RDP connections, and more. As soon as the attacker interacts with any of this false data, a high-fidelity alert is triggered showing exactly what has been attempted and where. Vendors vary in their approaches to collecting and distributing this forensic information. Learn more about Illusive’s award winning Attack Detection System here.

What Makes Today’s Deception Technology Next-Generation?

Today, machine intelligence and automation allow deception platforms to discover network systems, connections, and crown jewel assets, as well as to know where an attacker is in relationship to them. Intelligent deception systems can recommend and craft authentic network, system, application, server, and data deceptions that are customized for each system and appear native to the environment. AI-driven automation also enables a complex web of cyber deceptions to evolve and keep pace as threats and businesses change, even on the largest networks.

Finally, next-generation deception technology also integrates comfortably with other security solutions, so that its threat detection capabilities can enhance the resolution capabilities of other technologies. For example, endpoint detection and response (EDR) and security information and event management (SIEM) systems can receive high-fidelity alerts from a next-generation deception tool at an earlier point in the attack lifecycle than they otherwise might. In this way, organizations that deploy such solutions in tandem with next-generation deception can speed up investigation and mitigation before attackers are able to get anywhere near crown jewels.

Honeypots Still Have Their Narrow Uses

Honeypots are not quite dead yet, but they certainly aren’t the centerpiece for today’s next-generation deception technology solutions. Nevertheless, fully interactive decoys or honeypots are useful for forensic analysis, threat hunting, and responding to attacker behavior. To learn more about how Illusive’s fully interactive decoy capability is integrated into our overall solution with the Attack Intelligence System, click here.

However, deception has moved far beyond narrow honeypot use case parameters. Next-generation deception technology has emerged as the most effective and earliest way to detect and stop attacker movement once a breach occurs, and can be deployed with a fraction of the time and effort setting up a traditional honeypot usually requires.

To learn more about how next-generation deception technology can help your organization stop post-perimeter attacks, click here.