Four cyber deception delusions diminished

Written by: Francesco Trama | Published on: January 17th, 2019

About The Author

Francesco Trama
Francesco Trama As Chief Executive Officer and Founder, Frank is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

Say that three times. It’s hard to say and harder yet to overcome the mindset many have around cybersecurity deception technology. It offers potentially game-changing impact on how threats are combated yet many see it as a nice-to-have.  Successful adoption of cyber deception as an impactful security tool, and more than just another data generating detection solution, demands avoidance of these four common delusions:

  1. Deception is only for advanced security teams.
    Many deception providers are simply selling enhanced detection and higher fidelity alerts.  Teams without lots of expert security analysts need not apply.
  2. Deception is for detection only.
    Applying the information from deception techniques requires active curation of threat information and integrating it across security devices.
  3. Deception is an application layer technology.
    Letting attackers get farther into the cyber kill chain in order to study them misses the opportunity to stop them in their tracks during the reconnaissance phase.
  4. Deception is for East-West detection.
    It is insufficient to limit deception to study and prevent an attacker that has already infiltrated a network.

Deception is only for advanced security teams

Some in the industry have a kind of elitist view that deception should be reserved for only the most sophisticated security teams.  That those without the means to perform extensive threat hunting, forensic analysis, and attribution investigations should avoid deception because they won’t be able to realize the value it can provide.

At PacketViper we firmly believe results count.  And our customers see major positive impact on their security operations and posture without requiring fleets of high-cost, expert security analysts and specialized arcane tools.  Many customers have seen a reduction of over 70% in the raw volume of unwanted traffic that they have to pay to process, log, store and analyze while reducing the threat vectors that they face substantially.

Deception is for detection only

All deception companies, including PacketViper, offer a suite of tools to trick an attacker into believing that something false is real.  If the ruse works, the other deception companies will start collecting additional evidence and information is used to analyze techniques, tactics, and procedures.  For expert security and threat analysts this is a veritable trove of interesting data that will be validated, verified, curated and assembled into IOC.  Assuming the integration between the IOC and the security infrastructure exists, these IOC can be applied to detect future attackers.

The PacketViper approach is slightly different: we stop them in their tracks.  Immediately.  Any further attempts are blocked.  If they shift to a new attack point, we will block that as well.

Deception’s an application layer technology

Applications include endless opportunities for attackers and increasing attack vectors in every patch, every update, etc.  Application layer deception tools need to factor in all of this, which inherently means complexity in management and support.  In addition, applications provide a narrow scope in which to learn and apply deception results.  These factors limit the actual impact deception in the application layer can have on improving security operations and posture.

PacketViper feels strongly, based on real world results from our customers, that the network layer is where deception gives it’s users the most leverage and the ability to effect the biggest impact in solving meaningful security problems.  The network is pervasive, less complex, and more easily managed. The network provides the opportunity to stop attackers in their tracks  BEFORE they get the opportunity to move up the cyber kill chain.

With PacketViper a dynamic defensive zone can be enabled at the network layer with point & click simplicity.  Decoys and decoy responses can be configured to dynamically change to never provide a continuous, easily mapped, or accurate view of you network and services.  

Deception is for East-West detection

The majority of deception companies only provide solutions that can be safely deployed inside the network.  Naturally this limitation drives some to the conclusion that deception is most effective for detecting East-West traversal rather than North-South.

PacketViper customers deploy our solution on both the outside and inside perimeters of their networks to enable prevention of attackers coming from the Internet and isolation of compromised internal systems attempting to reach command and control servers or exfiltrate data.

On the outside perimeter we push back by poisoning those public services that help attackers find vectors into your environment.  We can move these deceptive applications / services based on a number of factors including time, source country, company or network to further confuse the attacker’s plans. Effective deception at the perimeter can eliminate the attacker’s advantage of anonymity through proxy. It creates a truly dynamic defense.

In addition, because of the granular country, company, and network intelligence within PacketViper, customers can use deception SAFELY as part of their vendor risk management program.

The goal of PacketViper’s deception is to not only trick and study attackers, but rather to improve security operations and posture by solving the problem of alert, and logging fatigue. Our deception solution can eliminate as much 70% of the volume of traffic entering the environment.  This means less everything, and more transparency into the problem.  PacketViper solves important cybersecurity problems and produces practical, real-world results, including enhanced dynamic defense, relief of security operational costs and burdens, and 3rd party risk monitoring with policy enforcement.

Use cyber deception to drive heavyweight, security results

For those seeking a practical business result that strengthens security, deception is a means to an end and not an end unto itself.  Tricking threats, studying them and becoming a threat behavior specialist is not a practical use of most security team’s time.  Leveraging network level deception to deceive threats as early in the kill chain as possible, harvesting the intelligence on those threats and applying it to strengthen defense is a winning use case for deception.

PacketViper.  Lightweight deception.  Heavyweight results.