Gartner Blog Network


APT-Ready? Better Threat Detection vs Detecting “Better” Threats?

by Anton Chuvakin  |  October 19, 2016  |  4 Comments

As we mentioned a few times before, we see a lot of “deception as detection” use cases. Frankly, we see nearly all deception projects focused on threat detection (typically of the lateral movement of the attacker and other middle parts of the killchain) and not on the observation of the entrapped attackers and not on distracting (or delaying) the attackers away from production assets.

However, the question is then: what kinds of threats, specifically? To me, the question becomes …

is this a better way to A) detect mundane threats better (“a better IDS” scenario) or B) a way to detect “better” threats (“an APT catch” scenario).

So far, we’ve seen mostly case A) where the emphasis was on “frictionless” threat detection which does not involve pesky production systems. A typical catch may include relatively elaborate (but not truly novel or advanced) malware, low-impact insiders, and other “suspicious-ish” internal activities. Of course, some of the vendors will sometimes try to position this as “APT detection” (using the corrupted meaning of the word “APT” to mean “malware that passes through traditional AV”)….

Nevertheless, we have seen a tiny number of cases where B) was probably true and deception tools may have enabled the defenders to catch those “top tier” threats.

Finally, we are ready to state, given our fact base, that A) can be made easier with deception tools. However, I hope you do realize that B) will forever remain hard…by definition (if you aim at the top of the threat food chain predator, you will have to work hard)

Our related blog posts on deception:

Category: deception  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on APT-Ready? Better Threat Detection vs Detecting “Better” Threats?


  1. Ron says:

    I believe B will remain hard BUT also that deception done right can be very useful to detect APT’s.

  2. Exactly correct – and we have seen some small number of cases where it was indeed the case!

  3. […] APT-Ready? Better Threat Detection vs Detecting “Better” Threats? […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.