ITWeb Security Summit 2020: Honeypots and Gen1 deception no match for AI-driven next-gen fluid deception

Enterprise security budgets are always under pressure. Given the myriad types of threats, and the dynamic nature of IT (eg, cloud, application architectures, BYOD, privacy and compliance), the requirements placed on security budgets and staff always exceed capacity. “This is particularly true in the current economic environment,” says Murray Benadie, MD of Zenith Systems.

He continues: “Cyber security deception technologies have evolved from interesting but inefficient solutions to financially attractive options for cyber defence that improve the ROI of security spend and that relieves the pressure on budgets and staff.”

Cyber deception solutions are primarily designed to do three things:

  • Detect the presence of an attacker within the organisation’s environment;
  • Retard the attacker’s progress towards his objective; and
  • Gather forensic data related to the attacker’s motives, targets and methodologies.

Honeypots and Gen1 deception tools:

Honeypots were the original incarnation of deception technology. A honeypot is simply a server or static decoy that serves no business purpose, but is configured to look like it does. It is deployed on the internal network to lure an attacker into trying to access and compromise it. Such attempts give away the presence of the attacker.

The operational investment for 1 Generation deception tools is problematic, because of the staff time and skill required. To start with, they have to be configured carefully to be effective. Benadie says for these tools to have a remote chance of detecting malicious activity, the environment in which they will be deployed has to be thoroughly researched so as to understand how a honeypot/gen1 tool must be configured to appear credible.

ITWeb Security Summit 2020

Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on demand online. To register, and for more information, please click here.

That research is then applied to the honeypot configurations, which will vary depending on the location in the network. Their configurations also need to be constantly updated to keep them “fresh”, otherwise their static appearance will be a dead giveaway to an adversary.

Furthermore, if a potential intruder is detected, a highly skilled person will need to conduct a security investigation quickly and efficiently, and use manual processes and techniques to react appropriately. If the defender seeks to understand the attacker’s techniques and motives, or quickly react in a way that retards the attacker without tipping him off, the defender needs to have the environment react in a way that the attacker expects. This is extremely difficult with honeypots and gen1 deception tools. It requires top talent that is always available on short notice, which is something most organisations do not have.

Just because honeypots or gen1 deception tools are deployed, it doesn’t mean an attacker will try to access them. And if the honeypots aren’t deployed at scale and carefully curated, they will fail to fool a sophisticated attacker. Since very few organisations can meet those requirements, the actual likelihood of successful detection and mitigation may be lower than expected.

Modern next-gen cyber deception:

“Modern cyber deception has evolved into solutions that are much more sophisticated than honeypots and gen1 deception tools, and as such, have significantly greater detection efficacy and enhanced return on investment,” says Benadie. Such solutions have the following characteristics:

Efficient high-scale deployment:

Modern deception automates the process of creating both decoys (servers) and supporting artefacts (fake data, credentials, file shares, etc) and relies on virtualisation, resource conservation and automation to enable high-scale deployments at reasonable cost.

Autonomous configuration and curation:

The solution analyses the surrounding (legitimate) environment and configures the deception assets to appear credible. It also updates the assets over time to maintain this credibility as the environment changes

Automated adversary interaction:

The solution automatically detects and reacts to probing by adversaries. It can respond as the environment would, changing behaviour to slow an adversary’s attack, and gather forensic data to present to security analysts

Benadie contends: “Due to the inherent benefits of the characteristics detailed above, modern deception solutions have superior return on investment compared to honeypots, gen1 deception and, in fact, alternative threat detection technologies. The enhanced ROI is broadly achieved in the following three areas.”

System investment

Because the solutions are virtual and the best offerings pool resources and deploy on an as-needed basis, the initial investment is reduced substantially.

Operational investment

Modern deception automates the most challenging tasks: environmental analysis, asset configuration and updating, and initial adversary engagement. This greatly reduces the amount of staff time required to operate the solution. It also drives extremely low false positives.

Security returns

Autonomous deception solutions produce much greater benefits, mainly because they are far more likely to actually detect, analyse and retard a skilled attacker. They also provide environmental visibility that Gen1 tools do not. Gen1 tools may detect an attacker if they are carefully deployed and curated, but the operational requirement for that curation means that most gen1 tools won’t achieve this level of credibility, certainly not consistently. Modern, autonomous deception on the other hand is more likely to deliver on all three benefits, because it is properly configured, updated and deployed at the appropriate scale.

As an additional benefit beyond adversary detection and engagement, modern deception solutions provide visibility and situational awareness to the defender. They analyse the internal network environment and endpoints both to provide general visibility and to identify vulnerabilities that should be remediated. Network, host and application level data helps the defender ensure that the environment is both documented and secured consistent with security policies.

To summarise, modern cyber deception has largely eliminated the operational challenges associated with legacy honeypot and gen1 deception tools. As a result, it drives much higher ROI and a broader set of benefits, without significant increases in costs.

Share

Zenith Systems

Zenith Systems is a Cyber Security industry veteran and has deployed cyber security solutions in high profile organisations throughout Africa.

Zenith Systems specialises in Acalvio NextGen Cyber Deception, LogPoint NextGen SIEM , Snare Logging Solutions, Spirion Sensitive Data Solutions and MassComz Multichannel Critical Event alerting system.

www.zenithsystems.co.za

Acalvio

Acalvio’s patented Autonomous Deception solution, ShadowPlex, enables organizations to detect, engage and respond to malicious activity inside the perimeter. The solutions are anchored on innovations in Artificial Intelligence (AI), Distributed Deception, and Software Defined Networking (SDN). ShadowPlex’s effective deception technology results in early and accurate detection and engagement of threats inside the network. ShadowPlex supports public and private clouds (AWS, Azure, GCP), and on-premises deployment.

ITWeb Security Summit 2020

In an increasingly connected, digital world, cyber security threats are constantly evolving and increasing in number and sophistication. Security professionals need to be up to speed with the latest technologies, techniques and skills for predicting and mitigating potentially crippling cyber attacks, the methods and tools in use by today's threat actors, and the latest legal and compliance demands. ITWeb Security Summit 2020, now in its 15th year, will again bring together leading international and local industry experts, analysts and end-users to unpack the latest threats facing African CISOs, CIOs, security specialists and risk officers, demystify emerging cyber security strategies in AI, blockchain, IOT, DevSecOps and more, and explain how to increase an organisation's cyber resiliency.

Editorial contacts