By: Ori Bach, General Manager, TrapX Security
At its early stages, deception technology adoption was driven by forward-thinking security teams looking to get ahead of cyber attackers. However, in recent years as more and more enterprises utilize deception technology to great effect, it has become a standardized way to gain a high-fidelity low-cost detection of threats.
As the use of cyber-deception becomes more prevalent across verticals and in enterprises of all sizes, it has gained the attention of regulators who are formulating guidelines, making recommendations and in some cases, even mandate it’s use .
What Is Cyber-Deception?
Before reviewing how regulators view the use of this technology, let’s quickly define the meaning of cyber-deception.
Cyber-Deception is a category of cybersecurity that provides a signature-less and behavior agnostic threat detection. Cyber-Deception utilizes lures and decoys to entice, engage, misdirect and ultimately detect attackers.
From legacy honeypots & honeytokens to modern cyber-deception
Cyber-Deception evolution from legacy honeypots was driven by two main technology advances:
- Scale – adoption of emulation technology has enabled creation of fake attack surfaces replacing the legacy approach of using resource-guzzling virtualized honeypots. This innovation allows deploying thousands of traps with a fraction of the efforts/computing power required to deploy and maintain a real OS and its accompanying software.
- Automation – Platforms able to automatically manage an integrated grid of lures and traps to create an entire deceptive environment and its related architectural elements. This approach has greatly increased the efficacy of deception, especially as compared to the use of standalone alone honeytokens.
Analysts have a positive view of deception technology
Deception is broadly covered by various industry analysts.
Gartner’s view of deception technology is that – “Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a ‘low-friction’ method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.” – Gartner, Applying Deception Technologies and Techniques to Improve Threat Detection and Response. Here is the full Gartner report.
“Once deployed, prioritize alerts from the deception platforms as high-priority, high-fidelity alerts that need immediate attention.” – Gartner Hype Cycle for Threat-Facing Technologies, 2018.
Frost & Sullivan also chimed in – “Frost & Sullivan believes that companies that can provide a network-based deception technology platform to divert attackers… while still defending their systems against advanced attacks… will secure clear leadership positions in the market.” – Frost & Sullivan, North American Deception-based Cyber-security Defense Leadership Award. Here is the full Frost & Sullivan report.
Analysts often also highlight the special benefit of deception for large distributed networks and IoT devices.
“Prioritize deception-based detection approaches for environments that cannot use other security controls due to technical reasons (for example, IoT, SCADA or medical environments) or due to economic reasons (for example, environments with highly distributed networks.” – Gartner Hype Cycle for Threat-Facing Technologies, 2018
Regulators are taking notice
One of the most forward thinking regulators in the world is the Israeli National Cyber Directorate;
Israel is very advanced in their approach to cyber security, mainly because they’re such a big target for terror and cyber-attacks. Israel has also recently become a world leader in cyber security and their regulators call for the use of deception technology. (Here’s an HBO documentary on how Israel rules the world of cyber security).
This is the direct quote from the Israeli government’s regulation and their supply chain mandate (translated): “Proactive Cyber Defense – The use of deception, diversion and detainment by using specialized techniques and technologies (such as traps, honeypots, communication diverting, etc.) in order to mislead and delay the attacker and to enable the identification and analysis of the tools, methods, procedures and techniques which the attacker uses.”
In addition, at the most recent cyber event in Israel, National Cyber Week 2018, Maj. Gen. (res.) Yaakov Amidror, the head of research of Israel’s military intelligence, had this to say at his speech:
“In cyber security, there is one thing that truly can make a difference, if you’re smart, you don’t destroy your enemy, you isolate him and give him a sense he is still active. This is a honey trap. With this method, you lure the attacker into a trap, in real-time, where he can be manipulated and analyzed while giving him the feeling that he is still active. Once the attacker understands that he got caught and he’s isolated, he will understand that he has to put all of his efforts in a different place. This is the main difference to the classical approach of cyber security.”
The Israeli government isn’t the only one who has taken this approach. India’s government has also included deception technology in its regulation for cyber security. Here is a direct quote from their cyber-security regulation:
“Implementing deception technique as innovative and false positive free solution: Deception technique for handling cyber security is an effective and forward-looking solution and should be used actively.”
The United States and Europe, while a little behind, are also adding deception technology into their cyber security regulation and are setting it up, probably as you’re reading this blog post. It’s just a matter of time…
The European Central Bank drafted the ‘Cyber Resilience Oversight Expectations (CROE)’ in December of 2018
Here is what they had to say:
“In the context of a defence-in-depth strategy, the FMI should seek to implement cyber deception capabilities and techniques that enable it to lure the attacker and trap it in a controlled environment where all activities can be contained and analysed, allowing the FMI to gain vital threat intelligence that will help to improve its protection controls.”
To learn more or if you want to read some case studies about deception technology, please visit us at https://trapx.com/case-studies/