In order for you to cut through the marketing hype, here’s a set of evaluation questions to ask deception technology vendors that will help you better understand disparate offerings.
- Are their decoys individually unique?
While this seems like a no-brainer, there are many deception technology vendors that don’t actually have solutions with the ability to run individually unique application services. In other words, if you deploy 100 FTP decoys, they’re all really pointing to the same FTP servers over and over again! Not very realistic is it? A modern platform will use advances in virtualisation technology to create unique, real decoy services that can be customised individually. Some providers rely on emulations (not the real thing!) in order for them to scale. They then ‘hand off’ the attacker’s interaction to a real virtual machine. Why compromise with emulations when the capability to offer real services at scale exists?
- How do they create fake content in their decoys?
It’s great to see a couple of perfectly configured decoys in a proof-of-concept, but how do different deception technology vendors create fake content and realistic application layer data for hundreds or thousands of decoys? If you try to configure these many systems by hand, you’ll either take forever, or will have mediocre deception realism. Human’s (especially short-staffed security teams) aren’t good at creating mass fake, believable content, and attackers are great at identifying stuff that’s poorly created.
- What parts of the kill-chain do they really cover?
Kill-chain coverage is an often touted feature, but you need to dig a bit deeper to understand what’s really going on. A good platform will do everything from recon phase, front-of-firewall decoys (that don’t trigger on every random Internet probe), to fake personas (email addresses), and fake data. Deception is far more than a few network decoys and breadcrumbs, so make sure the deception technology vendor you select is truly full-stack.
- How do they deploy deception at scale, such as in multi-geography environments?
Do you need a large number of appliances to cover different branches, or do you have to modify your network to create GRE tunnels / VPNs? Some deception technology vendors avoid the multi-location problem altogether by claiming endpoint lures are sufficient (they’re not). A good platform will allow you to deploy decoy network services in remote locations without any of these hassles.
- Do they require agents or administrative rights?
Do you need to run agents on all or most of your endpoint fleet in order to benefit from many of the features? Additionally, do you have to have administrative rights to deploy endpoint features? None of these are required for effective deception.
- How real are their decoys?
If it isn’t fooling you, it isn’t fooling the bad-guy. The decoys should be so real that your in-house red-team should fall for them. In fact, we encourage you to do exactly that when comparing solutions — have your own folks rate how ‘real’ the deception looks. This also means that there should be high-interaction environments like RDP and SSH, where a human attacker (not just commodity malware) can run whatever code they like, while you have full telemetry and visibility into their actions.
- What is their experience running actual deception campaigns?
No matter what anyone tells you, deception is more than just the technology. This is actually just common sense; the technology exists to implement a believable deception strategy and overall campaign. Speak to your provider to evaluate their experience with planning, setting up, and managing these campaigns. Good providers will have the expertise and experience of what works in the real world, and what doesn’t. If you plug a deception platform into any reasonably large network, you’ll get hits from commodity infections such as legacy worms scanning subnets and so on. This sounds great, but it’s not really what you’re trying to stop. Ask them about the heritage of their platform. Where has it succeeded for other people?
- How good is their offensive R&D?
It’s no surprise that most deception technology proponents come from either a red team or threat hunting background. The technology is the red teamer’s answer to ‘what would work best against you?’. An active red team practice means that the provider is up to date with (or even inventing) what the bad guy does next, and their ability to ‘think adversarially’ is the difference between deploying deception that doesn’t really hurt the bad guys, versus dirty tricks that really cause them pain.
- How good is the security of their deception platform?
When an attacker moves laterally and attacks a decoy system, you want them to be successful so that you can collect threat intelligence and indicators of compromise. What you don’t want them to do is to exploit the decoys to target other systems. This means platform security of the deception solution is extremely important. The architecture of some providers even ends up routing VLANs, meaning an attacker can bypass your access control through the decoy! You also must evaluate the base operating platform security to ensure the attacker cannot compromise the decoy host appliance. Container virtualisation is often used to create decoys insecurely, this can lead to the attacker escalating privileges out of the decoy and onto the deception appliance.
- What do they do to contain and remediate?
So now you’re getting meaningful alerts with low false positives. What’s the logical next step? You want to investigate the root-cause of the alert through digital forensics, and likely move to containment. Does the deception platform you’re evaluating only support forensics and containment through third-party products? If so, you’ll need to purchase another tool just to respond to the alerts. Do they offer quality DFIR capabilities for your endpoints out of the box?
- [Bonus!] How will they help you build a deception capability, not just implement a technology?
Deception is very similar to threat-hunting; the technology exists to automate and help implement decoys, traps, lures, bait and honeypots, but if you’re not planning your overall strategy around deception, then you’re investing in a box, not a capability. A truly effective deception capability covers the technology, risk-modelling, deception story-building, and post-deception alert management. Make sure you’re not just buying a technology, but are building a fundamentally new capability in your security team.
If you’re currently evaluating deception technology vendors, we’ve written a guide that goes deeper into some of the questions that we’ve listed above. You can download it here.
You Need Deception Technology. And It’s Not Why You Think
The curious case of “How many decoys do I need?”
Open Source Honeypots That Detect Threats For Free
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours