New use cases, MITRE Shield support, and greater awareness will drive market growth and penetration. Credit: Joss Dim / Aleksei Derin / Getty Images Ask any cybersecurity professional to define deception technology and they’ll likely talk about honeypots or honeynets. This is accurate but antiquated, as is the misconception that deception technology is complex, has limited use cases, and is only useful for security researchers.Modern deception technology overcomes historical complexity using analytics and automation. Once installed, deception technology scans the network, takes an inventory of assets, and then recommends different types of deception decoys/lures that emulate servers, files, network segments, or valuable services (think Active Directory, for example). Suddenly, a network with around 1,000 nodes will look like it has 10,000+ nodes, making network reconnaissance and lateral movement much more difficult for cyberadversaries.Expanding use casesWhile honeypots/honeynets were mainly used by academics, researchers, and for threat analysis, modern deception technology is used effectively for threat detection and response. Security teams use deception technology to create decoy accounts (e.g., privileged users), assets (e.g., IoT/OT devices), or data (e.g., sensitive data repositories) across their networks. When bad guys poke around looking to advance a cyberattack or exfiltrate data and stumble into a deception decoy, the jig is up. Legitimate users don’t even know these decoys exist so access to them can only mean one thing—a cyberattack in progress.Deception technology usage can also follow a maturity curve. Organizations can start with basic decoys to fool pedestrian adversaries, and then grow into more advanced use cases for incident response, threat intelligence analysis, threat hunting, etc. Moving forward, I believe deception technology will become smarter, more dynamic, and thus more valuable. Deception technology analytics engines will constantly monitor and change based upon:The entire attack surface, not just the internal network. This will help protect corporate assets in the cloud, on third-party websites, in source code repositories, etc. Threat intelligence. Deception technology will know about campaigns and exploits and then suggest new types of decoys or decoy modifications as countermeasures.Security tests. When penetration testers or red teamers discover security vulnerabilities, deception technologies will suggest decoys as compensating controls. Leading deception technology vendors like Attivo Networks, Illusive Networks, and TrapX will then turn these capabilities into use cases like threat campaign defenses or safeguarding critical OT systems. Deception technology in 2021While deception technology should become more popular based on these factors, I believe the following trends in 2021 will help push it into the mainstream:MITRE Shield. On its website, MITRE defines Shield as “an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement.” Further, active defense is defined as, “the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Organizations are already embracing MITRE ATT&CK so they are likely to gravitate toward Shield as a complementary initiative. Deception technology has a multitude of active defense use cases within Shield.SOC modernization. There will be lots of SOC modernization activity in 2021 as organizations scale and automate operations, integrate tools (e.g., into a SOAPA architecture), gain better visibility of their attack surfaces, embrace advanced analytics, and implement automated security testing tools. Deception technology will fit nicely within these changes as an active sensor and tunable security control. Ransomware countermeasures. Industries like education, health care, and state/local government need help in their battle with ransomware. Deception technology isn’t a panacea, but it can help detect lateral movement across protocols like server message block (SMB) to minimize damages. Deception technology decoys can also be deployed or tuned for defense against other cyberattack campaign tactics, techniques, and procedures.Deception technology isn’t a set it and forget it solution, but based on my conversations with organizations using deception, it can be characterized as a quick win. CISOs can deploy deception technology quickly and gain near-term benefits. This alone should increase its popularity in the post-COVID era. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe