Midsized companies with revenues from $100 million to $1 billion spent an average of $3 million on information security as of 2014 per \u201cThe Global State of Information Security Survey 2015\u201d from PwC.\u201cI promise you, bad guys are not spending $3 million to break into your organization,\u201d says Allen Harper, chief hacker, Tangible Security. Still information burglars are getting through.And since 92 percent of IT and security professionals surveyed globally use signature-based antivirus software on their servers, despite AV\u2019s inability to stop advanced threats and targeted attacks, according to Bit9\u2019s 2013 Server Security Survey, exploits such as zero-days, which have no signatures give attackers the upper hand.To turn the tide, security experts are pressing enterprises to turn to behavior-based approaches where an illicit behavior can identify a probable exploit, whether security software has an example of its \u2018fingerprint\u201d or not. Security researchers are updating a behavior-based approach that has been around for decades.That approach is Deception. Deception identifies an attacker when they exhibit the behavior of simply falling for the Deception, such as by trying to interact with a fake web server that no one with a legitimate business purpose is using. CSO explores the purposes and strengths of Deception together with examples of its technologies and approaches.Purposes and strengths\u201cI want the bad guy to expend more effort trying to break in than I expend to keep him out,\u201d says Harper. Deception approaches work to make life harder for an attacker and easier for the enterprise. Used properly, deception will lead cyber criminals to exert increasing amounts of time, effort, and resources to break through your defenses while making it easier for you to detect and dispense with them with less effort.\u201cEffective deception tools change the behavior of the adversary,\u201d says Harper. They make the work on the cyber hood\u2019s plate pile up while offering no reward for his trouble. His thought processes must adjust because he has to deal with something he wasn\u2019t counting on. You are no longer the low hanging fruit. And it will be easier for him to simply attack another range of IP addresses that belong to someone else.\u201cDeception keeps the efforts of the defending enterprise at a manageable level,\u201d says Harper. The cyber thug has worked to locate IP addresses and ports that appear to have the servers and services he can benefit from attacking. He has worked to develop specific tools and approaches that routinely prove effective at breaking in and stealing data. He has fine-tuned his ability to stealth his activities.It has applications in the form of ActiveX controls or Java applets. When the attacker runs them thinking that they\u2019re going to successfully hack into the site, it actually does geolocation on where the hacker is, within 20 meters.John Strand, Instructor, SANS InstituteYet, the ports are bare and the servers and services are phony. Every tool and approach he knows falls flat, going nowhere and rendering nothing. And because he is attacking a deception that has no business use, no one ever goes there but hoodlum hackers, so you can instantly identify him on his first attempt.Deception technologies and approaches\u2018Medium-Interaction\u2019 Honeypots to the RescueHoneypots are a form of deception and traditionally come in two varieties, now three if you ask Harper. High-interaction honeypots are fully live systems sitting on the network, set up with real services that an attacker can poke and prod. While the systems do not have any legitimate use, nothing there is fake and so the enterprise would need to institute security and monitoring around it, both to detect when someone has taken the bait and to ensure that an attacker doesn\u2019t make it beyond the honeypot to the rest of the network, explains Harper. \u201cWe call it high-interaction because the attacker has a lot to work with,\u201d says Harper.Another form is the low-interaction honeypot. This kind is entirely phony. \u201cIf you break it, it will just crash the application at the end of it,\u201d says Harper. These are rightly called low-interaction honeypots because they don\u2019t keep an attacker fooled \/ interested for very long.\u201cNow there\u2019s something in between, which I would call a medium-interaction honeypot. And I think TrapX is a good example of that,\u201d says Harper. (Honey Badger, mentioned later is a similar tool. Dionaea is still another example of a tool for setting up honeypots.)Medium-interaction tools are tools that are fake and yet give the attacker a lot to work with, so they stay involved longer, you fool them longer, and it gives you more time to learn about them. They can even help you learn enough about an attack like a Zero-Day Exploit to be able to produce a signature for it. For this reason, attackers who realize that a network uses these honeypots will go elsewhere, lest they lose their complex Zero-Day exploit to an antivirus signature, explains Harper.The Active Defense Harbinger DistributionThe Active Defense Harbinger Distribution (ADHD) is a Linux distribution dedicated to deception. This distribution includes tools such as Honey Badger, Artillery, WebLabyrinth, and Spidertrap. \u201cThe Active Defense Harbinger Distribution is designed to make it as easy as possible for someone to utilize these tools and implement them in their own organization, with full step-by-step tutorials built in,\u201d says John Strand, Instructor, SANS Institute.The Honey Badger tool is a honeypot that purports to offer attackers the administrative functions they want to control. \u201cIt has applications in the form of ActiveX controls or Java applets. When the attacker runs them thinking that they\u2019re going to successfully hack into the site, it actually does geolocation on where the hacker is, within 20 meters,\u201d says Strand. The tool estimates geolocation using the technology smartphones use, triangulating position in relation to nearby cell sites and WAPs. This helps legal authorities to act more precisely.The Artillery tool (Port Spoof, which is also part of ADHD is a similar tool) is a port spoofing tool that will fool an attacker into thinking that every port is open and that something worthy of attack is waiting there. It confuses the attacker, which makes them take longer. In the meantime, the enterprise has more time to detect and learn about the attacker. \u201cArtillery will eventually actively shun an attacker,\u201d says Strand. But it\u2019s not going to shun you arbitrarily, instead setting a threshold that you must meet.The WebLabyrinth tool works on the assumption that cyber criminals will crawl your website to identify web pages and input fields for exploitation. \u201cWebLabyrinth serves up a whole bunch of fake pages to the bad guy. So whenever they\u2019re trying to crawl the website, their crawling tool just crawls infinitely. It\u2019ll never finish. That forces the bad guy to manually crawl the website instead of trying to use automated tools,\u201d says Strand. It can even crash the attacker\u2019s system. At that point, he may simply give up and go elsewhere.The Spidertrap tool, similar to WebLabyrinth feeds attackers a list of sensitive directories, making him think that they all exist on this server, baiting them in all the more, causing them to waste more time, according to Strand.