Gene Spafford, a leading security industry expert and a professor at Purdue University, is someone we should all be thankful for – cyber information-wise, at least. He birthed the idea of cyber deception, pioneering this concept and making way for modern-day technologies including honeypots, sandboxing, as well as AI-driven security measures. Some of his research even paved the way for MITRE & NIST’s CVE database.
The introduction of these tools has made it possible to observe attacks from a perspective that minimizes risks if done properly. Each tool – honeypots / nets, sandboxing, and modern-day deception technologies – plays its role in better understanding the bad guys and the malware they produce.
Now to explain each in more detail.
Honeypots refer to single hosts that are intentionally left vulnerable for multiple reasons, one being to attract attackers, which deters them from legitimate network hosts. Another is to allow their behavior to be recorded, including what happens once a network device is compromised. A honeynet is a network of hosts participating as vulnerable hosts, therefore making a network more believable in terms of a legitimate network environment. Hackers have evolved over time as well, being able to better distinguish honeypots / nets from legitimate networks. Using a honeypot or honeynet is a great way to better understand what attackers do once they infiltrate a host or network.
Sandboxing offers similar visibility but to a different degree. I am sure we all agree that malware isn’t welcome into our networks or on our hosts. However, how do we learn about them and the damage that they can cause without seeing them in action? Enter sandboxing, which allows malware to run in an isolated and protected environment, providing a way to observe the behavior of the malware and track what it was created to do. Know your enemy, as they say. This includes having various host operating systems (various Windows version, OSX, Linux flavors, etc.) and opening them to malware installation so it can be analyzed.
All of these technologies and ever-evolving features have led the way to deception technology. With the growth of advanced persistent threats (APTs), it is clear that the defense of information systems has to keep up with the bad guys’ offense. Often times, the bad guys are automating their attacks using artificial intelligence (AI) / machine learning (ML). This way they can feed numerous counter-measures into the program that defeat the defensive technologies used, allowing these AI / ML programs to constantly refine themselves and create more powerful APTs. It’s time that defenses utilize these same AI / ML tactics to increase security.
Deception technology is a mix of the above and more, allowing new methods of observing network attacks, AI / ML-learning, as well as minimizing the footprint of deployment. Benefits include not requiring designated hosts to play the role of a honeypot, where some vendors of this technology provide software that can be installed on actual hosts but completely isolated itself from an employee’s workspace. To be clear, an employee using that workstation can perform their work duties and have no idea of the software installed on it as it runs in the background. Another benefit is the ability to spoof network traffic and provide fake access to fake accounts and data, all while masking its nature in such a way that detecting this environment is almost unnoticeable. This allows the attacks to loop and loop, having them think they’re gathering critical business data all while gathering forensics on their maneuvers.
In summary, security deception isn’t a conventional honeypot / net or sandbox, but a mix of them and more. That doesn’t mean that honeypots or sandboxes are now obsolete, rather that each method should be used in the appropriate scenario. Not all SMBs can afford to go all out with what security deception offers but may be able to handle a honeypot / net, or even sandbox analysis. However, organizations that are in business to offer these types of services are better suited for the latter of the three, as they’ve built automated processes to handle the requirements.
Crandall, C., December 1, 2017 10:30 AM. Deception: Why It’s Not Just Another Honeypot.Retrieved from https://www.darkreading.com/vulnerabilities—threats/deception-why-its-not-just-another-honeypot/a/d-id/1330506
Netzer, G., May 25, 2017 7:45:07 AM. 8 Reasons Why Deception Technology Trumps Honeypots Every Time. Retrieved from https://blog.illusivenetworks.com/8-differences-between-honeypots-and-deception-technology
Palermo, E., October 23, 2013. Sandbox: A Separate Space for Developers to ‘Play’. Retrieved from https://www.tomsguide.com/us/sandbox,news-17762.html
Wikipedia.org, contributors. Gene Spafford. Retrieved from https://en.wikipedia.org/wiki/Gene_Spafford