Tested: How 4 deception tools deliver truer network security

Modern deception platforms lay traps that point attackers to fake assets that are created by the deception product. Here's what we discovered about how deception works and the unique features that deception tools from TrapX Security, Cymmetria, illusive Networks, and TopSpin Security bring to network defenses.

The use of deception as a weapon has been around since the dawn of warfare, and certainly since Sun Tzu helped to define it in about 500 BC in his famous book The Art of War. In terms of modern cybersecurity, deception has also always been an option, though it was a bit clumsy when used to trick attackers into expending time and resources against bogus network assets. The original device deployed as bait in a deception defense was the honeypot, a single server or client machine loaded with seemingly tempting information like fake credit card numbers that admins hoped hackers would bite on, leaving real assets alone.

Named after the vessel in which children's book character Winnie the Pooh famously got his head stuck, the problem with network honeypots is that they are an extremely passive defense, relying on attackers to somehow find them and give them preference over actual production systems. The other problem with honeypots is that unless they are closely monitored by defense teams ready to quickly react to attacks, they don't do much more than buy a little time.

Because honeypots generally have no interaction with real network assets, there is no activity trail for attackers to follow. By contrast, authorized users interacting with actual resources leave a large trail of activity behind in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to actual assets … and ignore honeypots.

In fact, attackers must find those trails left behind by authorized users in order to move undetected through a network. Even if they use a phishing attack or similar technique to compromise a lone endpoint, they are still blind to the topography of the overall network. The old technique of doing a port scan to locate nearby assets will be flagged almost immediately by even the most modest of defenses. Instead, they must search their compromised local asset to figure out where to go next and how to blend in with real traffic when they make their move. It’s stealthy and very hard to detect, but also puts them at an incredible disadvantage if defenders can poison the well of data they are trying to mine.

That is what a modern deception platform does. It lays traps, sometimes called lures or breadcrumbs depending on the company, that point attackers to fake assets that are created by the deception product. Attackers think they are looking at the credentials left behind when an administrator took control of the local machine to troubleshoot an issue, or a record of the nightly interaction with a backup server, but they are really seeing a deception lure pointing to a fake asset. The best deception vendors mix in lots of diverse types of lures to confuse attackers even more, and they keep their breadcrumbs refreshed and constantly updated.

We dove into the world of deception technology, talking with experts and testing their deception platforms. We included four major companies working in this space, TrapX Security, Cymmetria, illusive Networks, and TopSpin Security. This is what we discovered about how deception works, why its popularity as a defensive tool is increasing, and the unique features that each product brings to network defenses.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!