Discover deception security

What is deception security? 

Deception security (also called deceptive security) can be seen as a defense strategy that aims to place digital decoys within network infrastructures. Deception security is the new generation of the honeypot, which appeared in the 90s. It is designed to detect, slow down, trap, divert, and prevent an intruder from accessing an entity’s information system. Its primary purpose is to reduce the time it takes to detect an attack, understand the attacker’s modus operandi and potentially demotivate some of them. 

Concretely, what does a deception security mechanism look like? 

In general, deception security consists of an information system comprising real and fake assets associated with fictitious data and access. These are commonly called “breadcrumbs.” They can represent false identifiers that lead to a decoy, seemingly sensitive documents, a browsing history, for example. Deception security can also take on the appearance of a subnet that appears to belong to the leading network, except that it is isolated and closely monitored. 

What is the difference with a honeypot? 

Traditional honeypots are used for the quantification and qualification of general threats from the Internet. They help answer the following questions: what are the most commonly exploited or tested vulnerabilities by attackers? What tools do they have at their disposal to achieve their goals? As for deception security, it creates the illusion of a custom production environment with the latter’s natural characteristics, i.e., creating a personalized environment. User activity is also generated so that fake assets or fake networks are credible and consistent. This offers the possibility of identifying targeted attacks carried out on a particular information system. 

What are the advantages of deception security? 

Deception technologies allow the attacker to be partitioned in a loop where he will only reach fictitious data: he will only access the data that the company wants him to see. The potential to make attackers waste time is real, and even to discover their tools and objectives further upstream. In particular, deception security makes it possible to detect unknown attacks, known as “0-day” attacks, understand how they are exploited, and shed light on internal malicious attempts. This then enables us to anticipate and scenario-script the future by thinking more clearly about the security measures we should prioritize. 

Also, deception security tools rarely or never generate false positives. If the attacker enters the deception network or information system, what is commonly called the “deception environment”, the alert is real. This alert is of recognized quality and relevance. As soon as one interacts with the deception security artifacts, all the light is shed on the attacker’s movements and all his actions are accurately reported.  

Deception security also offers the possibility to cover perimeters that are generally difficult to protect: decoys of different types and architectures can be deployed on many environments (IoT, industrial systems, etc.), and thus bring new protection to these resources that are often not covered by traditional intrusion detection devices. 

What types of customers is this technology aimed at? 

This technology is suitable for any type of customer. It all depends on its objectives and its maturity on cyber–issues. For example, to implement a deception security strategy, we need to define the attacker’s commitment level (how far he can go). This will depend on the company’s internal tools and data: does it have a SOC, how many operators can handle alerts?  

Presenting a digital decoy is not enough. You have to control your environment. This implies carrying out a risk analysis before any implementation and customization. Also, suppose a company is not willing to let the attacker go far to study its behavior. In that case, this may simply not be its objective – it can merely use deception security as a detection device. 

Are there any prerequisites to benefit from it? 

Good knowledge of one’s weaknesses and attack vectors is an excellent start for creating a relevant strategy and defining the right place to host the deception security environment. All infrastructures can benefit from deploying deception security strategies and tools. SMEs, for example, will be able to complete their security to be informed in a less traditional and sometimes faster way of intrusions on their network or information system.  

Can the attacker come out of the decoy? 

All technologies can, by definition, be tampered with by cybercriminals to allow intrusions. The advantage of deception security in this context is that the cybercriminal compromises above all fictitious data. Once the alert has been given, cybersecurity experts know precisely where he is and which path he may or may not take, thus better countering him. 

What are the limits of deception security today? 

Today, deception security cannot be deployed everywhere for optimization and cost reasons. Expertise is needed to determine the best options for deploying artifacts (lures, bait, and breadcrumbs), depending on what the company wants to protect. Secondly, it is not entirely autonomous. If a sustainable strategy is chosen, expertise is then required. Also, for lures to remain credible, the system must be regularly updated. In the future, our challenge will be to reduce these limitations. 

How do you see this technology (and its uses) evolving soon? 

In the future, human intervention will be increasingly reduced. The system could incorporate a margin of autonomy thanks to artificial intelligence technologies. These profound learning technologies allow learning from the real environment and current threats (for example, those aimed at a specific sector), notably using Threat Intelligence tools. Thus, the technology will autonomously create the decoys, bait, and breadcrumbs needed to carry out a personalized strategy at instant T.  

The level of attacker engagement will be much more advanced thanks to more relevant automatic response simulations, enabling even more in-depth analysis. As far as maintenance is concerned, the democratization of virtualization solutions makes it less costly to use deception security solutions (fake virtual machines deployed, destroyed, and quickly restored to their initial state, digital resources allocated more finely to control the attackers’ capabilities even more effectively). We can look forward to significant advances in the coming years. 

Will deception security be part of the necessary cyberdefense equipment? 

It is not far from becoming so, at least for some sectors. International guidelines from the NIST (National Institute of Standards and Technology) and NATO (North Atlantic Treaty Organization) have already supported deception security. These industry guidelines strongly recommend the use of deception security as a proactive strategy to improve cyber-resilience. It may become a standard for specific infrastructures.  

Deception security has the advantage of being able to operate in a closed circuit. It, therefore, meets many requirements of sovereignty and profound control of the included components. It is essential to specify that deception security is not intended to replace existing security systems. It will be (and already is) a differentiating strategy to counter cybercriminals. 

Thank you Wiem Tounsi, consultant and researcher at Orange Cyberdefense France, and the Epidemiology Laboratory for sharing their expertise on this subject.