As my esteemed and fast-fingered colleague has already noted, our deception paper has published. World, please behold the 38 page awesomeness of “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” [Gartner GTP access required]! The abstract states “Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a “low-friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.”
- ”Improved detection capabilities are the main motivation of those who adopt deception technologies. Most [of those interviewed – A.C.] have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.”
- “While tailoring lures to the environment increases the chances of detecting attacks, certain lures may cause users without malicious intent to accidentally touch the decoys.” <- so, many want NO false alarms, but really get LOW false alarms…
- “Testing detection tools is hard. Testing detection tools that seek to find advanced and, hence, rare threats is even harder. However, testing deception tools often takes the prize for being the hardest.”
- “Unlike with other security controls, the question of whether to inform the rest of the information security and IT team does come up with deception. Deception controls are sometimes deployed by a small team that keeps some details, such as the precise nature of lures and the locations of decoys, to itself. “
- “Are these technologies effective? At this time, the fact base Gartner collected from production deployments points to a […]” (read the paper to find out; sorry for my bad joke here!)
P.S. I suspect there may be a vendor or two who will say that “we are just not excited enough about deception.” Frankly, given the facts we possess, the paper shows an incredible amount of excitement about threat deception. In other words, if you don’t think we bring the good news, we assure you – what we bring is in fact good news 🙂
Blog posts related to the deception research topic:
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?
Other blog posts announcing paper publications:
- Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published
- Our “Comparison of Endpoint Detection and Response Technologies and Solutions” Paper Publishes
- Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes
- Our “Understanding Insider Threats” Paper Publishes
- Our New Paper on Security Monitoring Use Cases Publishes
- Our 2016 SIEM Papers Are Out!