Gartner Blog Network

APT-Ready? Better Threat Detection vs Detecting “Better” Threats?

by Anton Chuvakin  |  October 19, 2016  |  4 Comments

As we mentioned a few times before, we see a lot of “deception as detection” use cases. Frankly, we see nearly all deception projects focused on threat detection (typically of the lateral movement of the attacker and other middle parts of the killchain) and not on the observation of the entrapped attackers and not on distracting (or delaying) the attackers away from production assets.

However, the question is then: what kinds of threats, specifically? To me, the question becomes …

is this a better way to A) detect mundane threats better (“a better IDS” scenario) or B) a way to detect “better” threats (“an APT catch” scenario).

So far, we’ve seen mostly case A) where the emphasis was on “frictionless” threat detection which does not involve pesky production systems. A typical catch may include relatively elaborate (but not truly novel or advanced) malware, low-impact insiders, and other “suspicious-ish” internal activities. Of course, some of the vendors will sometimes try to position this as “APT detection” (using the corrupted meaning of the word “APT” to mean “malware that passes through traditional AV”)….

Nevertheless, we have seen a tiny number of cases where B) was probably true and deception tools may have enabled the defenders to catch those “top tier” threats.

Finally, we are ready to state, given our fact base, that A) can be made easier with deception tools. However, I hope you do realize that B) will forever remain hard…by definition (if you aim at the top of the threat food chain predator, you will have to work hard)

Our related blog posts on deception:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: deception  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on APT-Ready? Better Threat Detection vs Detecting “Better” Threats?

  1. Ron says:

    I believe B will remain hard BUT also that deception done right can be very useful to detect APT’s.

  2. Exactly correct – and we have seen some small number of cases where it was indeed the case!

  3. […] APT-Ready? Better Threat Detection vs Detecting “Better” Threats? […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.