Collection of threat intelligence by use of decoys on the internet
By Michael Fabrico
Deception technology supplies threat intelligence to your overarching security plan. Fact. However, lately I came across an interesting customer question: ‘Can I deploy deception assets to my DMZ and expose them to the internet to collect threat intelligence?’
A considered response requires answering two questions:
- What are you seeking to achieve by collecting this kind of intelligence?
- Are you willing to risk your DMZ if the attacker takes full control of the decoy without you
noticing? Bear in mind that internal decoys will prompt immediate response, but DMZ
decoys will be noisy and you risk being overwhelmed with events.
- This is fair enough, but advanced attackers will not make noise in the DMZ before actually
penetrating the network, unless they’re using DDOS-type tactics to mask other actions
- Many of the DMZ attacks and scans are automated, and looking for generalized
vulnerabilities not typically related to your DMZ, so the intelligence is worthless anyway.
- The DMZ decoys will be infected by spreadable binaries that are usually well known, and
wouldn’t bypass your perimeter defenses anyway
- TrapX DMZ testing suggests that internet facing decoys will collect around 5000 events per
hour for a medium sized organization. Does your SOC team (if you have one!) really have
the cycles to analyze that data?
- Deception technology’s value comes from it being a quiet, low-noise solution. Sure, you’ll
get pretty graphs in your deception console, showing that the internet is a dangerous place,
but it’s not really helping your SOC team action alerts more effectively.
All that said, there is still a use case to deploy deception to your DMZ and apply early breach
detection mechanisms. The approach is to install deception in the DMZ, but not expose them to
internet traffic. By using token technology on the internet facing assets to divert attackers that
HAVE compromised internet facing assets into the deceptive assets, you have a solution that offers
true value in the DMZ.