Honeypots were the first form of deception technology. IT security researchers started using them in the 1990s, with the intent to deceive malicious actors who had made it onto the network into interacting with a false system. In this way, honeypots could gather and assess the behavior of the malicious actors. They were not created for threat detection. However, things have changed a great deal in the years since honeypots were created – including deception technology.
Honeypots and deception technology aren’t synonymous
Because honeypots are typically limited in scope and easy for professional malicious actors to identify, it’s turned out that honeypots aren’t effective at detection at all. Accomplished hackers pretty quickly figure out they aren’t real. Today’s deception technology holds a lot of promise, especially for early and efficient threat detection. However, to fully realize that potential, deception needs to go well beyond the honeypot.
There are certain logistical issues with honeypots. They are difficult to distribute widely, and they require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means there are never enough to effectively detect threats. Any value a honeypot strategy has for detection is based on a fairly specious hope – that an attacker will accidentally trip over or be lured into it.
But as technology changes and becomes more sophisticated, so do cybercriminals. They cottoned on to the honeypot ruse long ago. Experience, crowdsourcing, and widely available tools now help attackers distinguish honeypots from real systems containing the valuable data they are targeting. To be an effective detection tool, deceptions must be inevitable, undetectable and inescapable. Today’s honeypots are none of these things.
Honeypots were originally the purview of IT researchers, as noted above. They were originally intended to allow the defender to observe attacks in progress. They still serve an important purpose in threat research. They can be used effectively for forensic analysis, threat hunting and developing responses to malicious behavior. Honeypots may still prove useful, but not as the centerpiece of a modern deception technology strategy focused on threat detection.
Deception technology today
Once an attacker is inside the network, today’s deception technology gives security teams the earliest and most effective method for detecting and halting an attacker’s movements. At the same time, deception dramatically increases the effort and costs for the attacker.
This next generation of deception technology is smarter, too. Automation and machine learning support rapid deployment and touch-free refreshes to maintain deception authenticity. Intelligent deception systems can recommend and craft customized network, system, application, server and data deceptions that appear native to the environment.
The old-school honeypot sits by itself and collects data in isolation. Today’s deception technology moves the focus of deception beyond the honeypot to the endpoint, server and device. This gathers information across the production environment, provides previously unimagined visualization of the attack surface, and offers highly efficient detection of cyber threats at the attack beachhead.
Next-gen deception technology: Points to consider
Below are four criteria to help make the selection of a next-gen deception technology solution easier:
Active defense, not reactive: Cyber criminals are going to continue to evolve and become more sophisticated in their approaches. That’s a fact. Organizations cannot afford to take a purely reactive or passive approach to defense. Being proactive will make a world of difference in protecting your organization from damaging breaches and attacks.
Makes the production system the focus: It’s no longer enough to focus on diverting attackers away from the production system, as honeypots do. As mentioned above, next-generation deception technology needs to focus on the production system itself. When evaluating a potential solution, it’s important to make sure the focus is on the product environment and not just aimed at diversion.
Consider the integrations: Deception technology should integrate well with other security solutions. That includes Security Incident and Event Management (SIEM,) Endpoint Detection and Response (EDR) and Security Orchestration, Automation and Response (SOAR) software. Having these integrations helps ensure the threat detection capabilities can enhance the resolution capabilities of other technologies as well.
Value beyond detection: When it’s time to make an investment in deception technology, it’s important to choose a solution that offers you aspects beyond simple detection.
Deception for a new day
In the field of technology, change is the only constant. Decades ago, honeypots served an important function. But the times and technology have changed, and bad actors avoid honeypots easily. They may still be of use, but the rising star today is distributed deception technology, offering a smarter option for quick threat detection. The deception technology available today is automated and scalable, saving on human effort and able to provide true early detection to quickly stop attacks. Use the recommendations above to carefully choose the deception technology that best serves the organization.