Why 2021 will be a big year for deception technology

New use cases, MITRE Shield support, and greater awareness will drive market growth and penetration.

Fraud / deception / social engineering  >  A wolf in sheep's clothing in a binary environment.
Joss Dim / Aleksei Derin / Getty Images

Ask any cybersecurity professional to define deception technology and they’ll likely talk about honeypots or honeynets.  This is accurate but antiquated, as is the misconception that deception technology is complex, has limited use cases, and is only useful for security researchers.

Modern deception technology overcomes historical complexity using analytics and automation.  Once installed, deception technology scans the network, takes an inventory of assets, and then recommends different types of deception decoys/lures that emulate servers, files, network segments, or valuable services (think Active Directory, for example).  Suddenly, a network with around 1,000 nodes will look like it has 10,000+ nodes, making network reconnaissance and lateral movement much more difficult for cyberadversaries.

Expanding use cases

While honeypots/honeynets were mainly used by academics, researchers, and for threat analysis, modern deception technology is used effectively for threat detection and response.  Security teams use deception technology to create decoy accounts (e.g., privileged users), assets (e.g., IoT/OT devices), or data (e.g., sensitive data repositories) across their networks.  When bad guys poke around looking to advance a cyberattack or exfiltrate data and stumble into a deception decoy, the jig is up.  Legitimate users don’t even know these decoys exist so access to them can only mean one thing—a cyberattack in progress.

Deception technology usage can also follow a maturity curve.  Organizations can start with basic decoys to fool pedestrian adversaries, and then grow into more advanced use cases for incident response, threat intelligence analysis, threat hunting, etc. 

Moving forward, I believe deception technology will become smarter, more dynamic, and thus more valuable.  Deception technology analytics engines will constantly monitor and change based upon:

  • The entire attack surface, not just the internal network. This will help protect corporate assets in the cloud, on third-party websites, in source code repositories, etc. 
  • Threat intelligence. Deception technology will know about campaigns and exploits and then suggest new types of decoys or decoy modifications as countermeasures.
  • Security tests. When penetration testers or red teamers discover security vulnerabilities, deception technologies will suggest decoys as compensating controls. 

Leading deception technology vendors like Attivo Networks, Illusive Networks, and TrapX will then turn these capabilities into use cases like threat campaign defenses or safeguarding critical OT systems.

Deception technology in 2021

While deception technology should become more popular based on these factors, I believe the following trends in 2021 will help push it into the mainstream:

  1. MITRE Shield. On its website, MITRE defines Shield as “an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement.”  Further, active defense is defined as, “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.”  Organizations are already embracing MITRE ATT&CK so they are likely to gravitate toward Shield as a complementary initiative.  Deception technology has a multitude of active defense use cases within Shield.
  2. SOC modernization. There will be lots of SOC modernization activity in 2021 as organizations scale and automate operations, integrate tools (e.g., into a SOAPA architecture), gain better visibility of their attack surfaces, embrace advanced analytics, and implement automated security testing tools.  Deception technology will fit nicely within these changes as an active sensor and tunable security control. 
  3. Ransomware countermeasures. Industries like education, health care, and state/local government need help in their battle with ransomware.  Deception technology isn’t a panacea, but it can help detect lateral movement across protocols like server message block (SMB) to minimize damages.  Deception technology decoys can also be deployed or tuned for defense against other cyberattack campaign tactics, techniques, and procedures.

Deception technology isn’t a set it and forget it solution, but based on my conversations with organizations using deception, it can be characterized as a quick win.  CISOs can deploy deception technology quickly and gain near-term benefits.  This alone should increase its popularity in the post-COVID era. 

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations