This is a debate post, and not a position post. The question alluded therein (hey… I said “alluded therein” to sound like Dan Geer, no?) has been bugging us for some time, perhaps for 2+ years.
However, we deferred this debate and hid behind the fact that most organizations don’t really compare broad security approaches like “do deception” or “do analytics” (or even “do network” or “do endpoint” for detection) in furtherance of a particular goal. The extra-large enterprises always click “all of the above” while others just want to compare vendors.
First, it is very clear that there are sets of security problems where the question of “how to handle it?” or “how to detect it?” can be solved in a set of principally different ways.
Let’s take many people’s recent favorite: attacker’s lateral movement detection (ATT&CK link).
So far, we’ve seen organizations use these approaches for detecting attacker movement in their environment:
- Network-centric: NTA (flow-based or L7 [better!]), and NSM as an approach.
- Endpoint-centric: EDR or various endpoint interrogation tools.
- Log-centric: SIEM or UEBA with relevant logs (network, endpoint, DNS, etc)
- Deception-centric: decoys, lures and other juicy honey-tools and deception methods.
[of course, there is still a “WHAT LATERAL? WE WILL STOP THEM AT THE BORDER!” crowd, but I am not talking about those people today]
Ok, so far, nobody is running away screaming “WROOOOONG!” Fine!
- gather lots of data from network, endpoint, log or combination thereof.
- think up a sneaky method to glean the insight you need from this data you just collected
- when this insight is gleaned, it is shown to an appropriate human who then runs out and takes the attacker out (not out on a date, mind you, but out with the trash)
However, the #4 (deception) does not work like this, it works more like this:
- think up and prepare a bunch of traps for the attacker
- spread them all over the environment and then hope they are discovered by the attacker
- when the attacker touches one of the traps, you go and take them out.
See the difference?
Now, we can argue:
- WHICH OF THE APPROACHES IS BETTER FOR DETECTING THE TRUE “UNKNOWN UNKNOWNS”?
- WHICH OF THE APPROACHES IS BETTER FOR DETECTING THE TRUE “UNKNOWN UNKNOWNS” GIVEN MOST ORGANIZATIONS LIMITED RESOURCES?
Posts related to deception:
- Our “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” Paper is Published (2016)
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?