I DO NOT THINK IT MEANS WHAT YOU THINK IT MEANS
If you recognize the quote in the title of this blog entry, then you also know one of my favorite movies of all time is Princess Bride.
If you didn’t recognize it, here’s a relevant reminder: https://www.youtube.com/watch?v=dTRKCXC0JFg
Let’s play a little word association. I say “Deception”, you say…..?
Usually the first word I hear in response to that is “Honeypots!!”.
Well, not quite. Deception is more than honeypots and if you’re trying to decipher all the marketing buzz I hope this discussion can help.
In order for a solution to truly be an Enterprise Deception Solution, it must incorporate three components: Decoys, Breadcrumbs and Baits.
Decoys: Decoys are IP addressable false targets that can represent anything in the organization’s environment. This is where the traditional “honeypot” comes to mind except with Deception Solutions they should support various “Interaction Levels” as well as be able to represent anything that can hold an IP Address (workstations, servers, network infrastructure, IoT, Industrial Control Systems, VOIP, etc.).
Breadcrumbs: Breadcrumbs are false information planted on your legitimate systems and are designed to lead the adversary away from legitimate targets and to the decoys that are present.
Baits: Baits are Deception Objects planted on your legitimate systems that when interacted with, will generate an alert (notify you that document has been opened, notify you the file has been encrypted indicating possible Ransomware activity, etc.).
An Enterprise Deception solution should autonomously manage and coordinate all these objects in concert with your organization’s infrastructure making it near impossible for the adversary to discern real from “The Matrix” world.
Implementing honeypots of old was cumbersome, costly and manually intensive. Enterprise Deception solutions should be designed to utilize intelligent analysis, automated discovery and self-generating recommendations to build out deception objects with little to no human interaction. Additionally, effective deception needs to be done en masse. Organizations may need hundreds, thousands of decoys, baits and associated breadcrumbs across all types of subnets (end-user, DMZ, server farms, VOIP, Administrative). “Fewest Number of Mouse Clicks” should be the general rule to getting this done.
Enterprise Deception also had to solve the cost factor. Honeypots of old required manual setup, hardware or virtualization requirements equivalent to running the real thing, OS and Application licensing, and on top of that…required instrumentation and filtering to capture and record attacker activity while whitelisting benign activity. And that was just to setup one honeypot!
Enterprise Deception Solutions should address each of those areas:
- It should be able to minimize or eliminate hardware requirements.
- It should be able to take advantage of the virtualization stack without requiring heavy compute resources.
- It should not require additional FTEs either to implement the solution or perform on-going maintenance activities.
- It should not require additional FTEs to support triage and analysis of generated alerts.
- It should be able to scale vast numbers of decoys without requiring additional OS and Application licenses.
- It should be able to scale vast numbers of decoys without requiring linear scaling of additional solution components.
So the next time you hear someone say “Deception Solutions are just Honeypots”, quote Inigo Montoya and use these talking points to start a discussion.