Proofpoint Packages

Improving Detection and Response: Making the Case for Deceptions 

Share with your network!

Let’s face it, most enterprises find it incredibly difficult to detect and remove attackers once they’ve taken over user credentials, exploited hosts or both. In the meantime, attackers are working on their next moves. That means data gets stolen and ransomware gets deployed all too often.  

And attackers have ample time to accomplish their goals. In July 2023, the reported median dwell time was eight days. That’s the time between when an attacker accesses their victim’s systems and when the attack is either detected or executed.  

Combine that data point with another one—that attackers take only 16 hours to reach Active Directory once they have landed—and the takeaway is that threats go undetected for an average of seven days. That’s more than enough time for a minor security incident to turn into a major business-impacting breach.  

How can you find and stop attackers more quickly? The answer lies in your approach. Let’s take a closer look at how security teams typically try to detect attackers. Then, we can better understand why deceptions can work better.  

What is the problem with current detection methods? 

Organizations and their security vendors have evolved when it comes to techniques for detecting active threats. In general, detection tools have focused on two approaches—finding files or network traffic that are “known-bad” and detecting suspicious or risky activity or behavior.  

Often called signature-based detection, finding “known-bad” is a broadly used tool in the detection toolbox. It includes finding known-bad files like malware, or detecting traffic from known-bad IPs or domains. It makes you think of the good old days of antivirus software running on endpoints, and about the different types of network monitoring or web filtering systems that are commonplace today.  

The advantage of this approach is that it’s relatively inexpensive to build, buy, deploy and manage. The major disadvantage is that it isn’t very effective against increasingly sophisticated threat actors who have an unending supply of techniques to get around them.  

Keeping up with what is known-bad—while important and helpful—is also a bit like a dog chasing its tail, given the infinite internet and the ingenuity of malicious actors. 

The rise of behavior-based detection 

About 20 years ago, behavioral-based detections emerged in response to the need for better detection. Without going into detail, these probabilistic or risk-based detection techniques found their way into endpoint and network-based security systems as well as SIEM, email, user and entity behavior analytics (UEBA), and other security systems.  

The upside of this approach is that it’s much more nuanced. Plus, it can find malicious actors that signature-based systems miss. The downside is that, by definition, it can generate a lot of false positives and false negatives, depending on how it’s tuned.  

Also, the high cost to build and operate behavior-based systems—considering the cost of data integration, collection, tuning, storage and computing—means that this approach is out of reach for many organizations. This discussion is not intended to discount the present and future benefits of newer analytic techniques such as artificial intelligence and machine learning. I believe that continued investments in behavior-based detections can pay off with the continued growth of security data, analytics and computing power. However, I also believe we should more seriously consider a third and less-tried technique for detection. 

Re-thinking detection  

Is it time to expand our view of detection techniques? That’s the fundamental question. But multiple related questions are also essential: 

  • Should we be thinking differently about what’s the best way to actively detect threats? 
  • Is there a higher-fidelity way to detect attackers that is cost-effective and easy to deploy and manage? 
  • Is there another less-tried approach for detecting threat actors—beyond signature-based and behavior-based methods—that can dramatically reduce dwell time?  

Proofpoint thinks that there is a better way. And it’s called deception-based detection.  

The rise of deception-based detection 

This technique turns active threat detection on its head. Instead of collecting and analyzing masses of data to find the telltale signs of threat actor activity—attempting to find the threat needle in the data haystack—it applies a deception-based approach to the problem. Basically, it lays a minefield, puts out masses of tripwires, or deploys a complex enterprise network maze for attackers to stumble into. 

I can hear you thinking, “This has been tried before, but it hasn’t caught on.” This is, in some ways, the idea behind honeypots, which emerged in the late 1980s and were documented in Clifford Stoll’s book The Cuckoo’s Egg. But I believe that a mixture of current threat trends, today’s real detection challenges and recent technological changes mean that it’s time to reconsider a broader deception-based approach. 

In a recently published report, GigaOm Radar for Deception Technology, Chris Ray of GigaOm wrote, “From a business perspective, strategic deployment of deception technology significantly reduces the risks of data breaches, system intrusions and resulting downtime. It can also provide comprehensive insights into adversaries’ tactics and an organization’s vulnerabilities, enabling the sculpting of a more resilient defense system.” 

If you decide to do more research into the concept of deceptions and how your organization might use this strategy, be forewarned that you will come across various terms and definitions that may be confusing and conflicting. They include the following: 

  • Baits 
  • Breadcrumbs 
  • Deceptions 
  • Decoys 
  • Honeypots 
  • Honeytokens 
  • Lures 
  • Traps 

In my view, while they have nuanced differences, they are all forms of deceptions. I consider the term, “deceptions” to be an umbrella term. They all refer to types of fake resources that are meant to trick threat actors into engaging with them. And they help teams detect their presence as well as provide insights into their activities and intent.  

Deceptions are better than honeypots for detecting active threats  

As a security professional, I advise that you don’t get drawn into comparing these concepts in great detail. There is generally too much inconsistency in how the terms are used. Instead, think more broadly about what you are trying to accomplish. 

For example, if you are a security researcher trying to catch malicious activity widely on the internet to support your data collection, you may want to consider using widely deployed honeypots (decoy systems that are simulated hosts or applications). While they are easy to detect and avoid by sophisticated actors inside your enterprise, because of their homogeneity, they are useful for collecting security research data on a massive scale. 

If your goal is to detect, investigate and respond more effectively to threat actors in the middle of your enterprise, I would point you to deceptions more broadly, but not specifically honeypots. Types of deceptions are sometimes known as honeytokens, breadcrumbs, baits, lures or traps. They are all fake but authentic-looking and attractive resources that threat actors have a hard time distinguishing from real ones. Examples include deceptive content in browsers, files, emails, chats and RDP sessions, and fake credentials in memory, command-line histories, scripts and elsewhere on endpoints. Honeytokens are generally just one type of deception, namely fake login credentials. 

The point of using deceptions—whatever name you use for them—is to trip up attackers so you can prevent their next move. Threat actors will find and attempt to use deceptions without understanding that they have stepped on a land mine, triggered a tripwire, bumped into the dead end of a maze and raised a silent flag to their attempts at malicious behavior. Their key advantage is that they are, varied in type, widely distributed and invisible to legitimate users—yet they are in plain sight for bad actors. 

The bottom line 

If signature-based detections aren’t sufficient, and behavior-based detections are too costly to implement and manage, then you need to consider another approach for detection. Perhaps now is the time to make deception-based detections part of your active threat detection security stack. 

To learn more about how you can use deceptions to detect and respond to active threats, check out Proofpoint Identity Threat Defense