CMI #10 - Deception Technologies

Mike P

Table of Contents

Terms You Might Also Hear

  • Decoy Accounts
  • Decoy Machines
  • Honey Files
  • Honeypots
  • Honey Users

Problem Statement

  • Attackers are very good at avoiding detection.
  • The average time to detect a breach is 280 days, but the first 10 minutes of a breach are the most crucial.
  • Defenders have a hard time sifting through many events to find real security issues.

Market Solution

Enter the Deception Technology market space.

  • Deception technology products create fake systems, users, and resources to attract attackers. These fake resources confuse and frustrate attackers and alert defenders to real issues.
  • Deception technology products can detect, analyze, and defend against attacks. This decreases attacker dwell time on the network.
  • Deception technology limits an attacker's ability to pivot. Pivoting allows for more compromised systems and resources.

Players in the Space

Predictions

  • It's not just for security researchers anymore. No longer is this space a complex subject like the old days of custom honeypots on Linux configs.
  • Industry-specific applications. Industries with more than traditional computer assets to protect (i.e., medical, mining, oil/gas, etc.) will gravitate toward this product space.
  • Focus over everything else. Cybersecurity has gone through an evolution of focusing on prevention at first and evolving to responding. Unfortunately, you can't prevent most attacks anymore, so this technology will help focus your responding efforts.

Opportunities

  • Integration with Breach and Attack Simulation partners offers end-to-end coverage.
  • Create "snap scenarios" to help focus your efforts (i.e., ransomware of critical business services). If you don't know what you're trying to protect, this solution won't be helpful for your company.
  • Map to MITRE ATT&CK and D3FEND.
  • Use it for merger and acquisition scenarios where the target's network and resources are considered untrusted and compromised. Then, see what goes bump in the night.

Key Insights

  • Deception technologies are being considered as table stakes for threat detection and response.
  • The product space has evolved in the way of analytics and automation. Now it's viable to drop into your network and use it without being a Linux wizard.
  • If you're a large enough company to focus on mean-time-to-detect (MTtD), you will find this technology can improve your metrics. However, not all events are created equally, and the response should not be either.
  • Deception Technology won't solve all your cybersecurity problems. If you're not good at doing and proving the basics today, this won't help you.

Pro Positions

What type/size/stage company should leverage these platforms?

  • Startups - this kind of platform shouldn’t even be on your radar.
  • Small and Medium-sized Businesses (SMBs) - Same as above. There are many other things you can take advantage of at this stage and size.
  • Larger Companies (>500 employees) - If you've got your bases covered from threat intelligence, threat hunting, and red-teaming perspective, you can look into this. Otherwise, start focusing elsewhere like Breach & Attack Simulation.

What makes one of these platforms “good?”

  • Good platforms are dynamic and unique instead of static and generic.
  • Good platforms come with a strategy around a capability. One that fits your business and fits the types of attackers affecting your kind of business.
  • If you're just getting generic training on the platform itself without tactical and specific guidance on handling alerts, creating workflows, testing, etc., it's not a good fit.

Out of the Players listed, who are the top to consider?

  • Attivo Networks, Smokescreen, Acalvio, TrapX, and Illusive.

References

category-report