LIFARS recently interviewed Mike Fabrico, Sales Director, TrapX Security of the US East Coast. In this three part interview, we discussed deception technology and why this approach to cybersecurity is growing in popularity amongst the largest companies in the world. TrapX Security currently leads the market as it pioneered the idea of deception technology back in 2010. In addition, TrapX has been releasing new reports, case studies and whitepapers frequently about how they repeatedly stop attacks for the largest companies in the world.
LIFARS: “Why has deception-based cybersecurity become such a hot topic? What do organizations need to know about the approach?”
Mike: “Deception-based cybersecurity has gained traction as a result of high-profile cases where it was shown effective in stopping highly sophisticated attacks that bypassed other solutions.
The economy of cybercrime is rigged in the favor of the attackers that only need to succeed once while the defenders must address every breach and vulnerability. Security professionals are leveraging deception to take a more proactive stance, forcing attackers to show their hand by giving up valuable information about their intentions, technics and attack tools, significantly changing the economy of cybercrime. It’s no secret that cybercriminals are becoming more sophisticated and bolder in their attack methods. Consequently, security solutions must stay ahead of the attackers, not only anticipating their next move but their next series of moves. With this intelligence, security teams can make much more of their existing investment bringing it to use where it is needed and matters the most.”
LIFARS: “Can you give us more details about deception technology and why TrapX introduced this concept to the market to battle cyber-criminals?”
Mike: “Sure! Deception has been used for a long time on the battlefield. Sun Tzu’s Art of War, the millennia-old and highly regarded Chinese book on this topic discusses the many ways deception can be used to prevail in military conflict. Today’s modern military has developed a full set of policies and supporting doctrine to leverage the strategic benefits of deception, and deception within corporate and government networks can be just as impactful as it is in war. Deception is also used in professional sports. In the NFL for instance, the play-action pass deceives the defense by causing them to believe in a run play and then the quarterback bombs the ball downfield after the defenders have moved closer to the line of scrimmage. Why should cybersecurity be any different? What we do by deploying deception technology, is baiting, engaging, and ultimately trapping cyber-attackers that have penetrated your network. Deception enhances visibility and helps you identify attackers that have bypassed all your other cyber defenses. Deception fills your network with lures (Tokens) and decoys (Traps) to deceive and detect cyber-attackers within the network. Deception surrounds the attackers with tempting targets. Everywhere they turn, they face immediate identification.
Some more details:
Tokens are fake credentials and scripts that are placed within your real information technology assets. These tokens appear to be exactly what attackers seek – information about valuable resources, credentials, and authentication to escalate permissions – and can include cached credentials, database connections, network shares, and much more. Attackers find this bait attractive and then these fake credentials and fake information lead them directly into a trap.
Traps are fake information technology resources that are placed by automation within your network amongst and between your actual information technology resources. Trap placement is designed to blanket your network with protection. Everywhere an attacker turns they are faced with these traps. An attacker doing reconnaissance will find them almost impossible to avoid.”
LIFARS: “But how is deception different than legacy honeypots?”
Mike: “The simple answer is, legacy honeypots require manual administration and typically require the use of virtualization. This approach does not support the scale of a typical enterprise or government customers. Honeypots are deployed one at a time. Each honeypot requires the setup of a full operating system, with the attendant expense and manual set-up labor. Use of real operating system in legacy honeypots also puts the defender at risk for the honeypot to be compromised and used as a jumping point deception technology brings automation and large enterprise scale for the deployment of thousands of traps. Also, important to note is the integration with ecosystem technologies such as network access control (NAC) that can take indicator of compromise (IOC) data to trigger immediate isolation of an attacker.”
LIFARS: “So how is deception different than other detection approaches?”
Mike: “Great question, let me teach you about detection methodology. It is simple and absolute: Just one touch of a trap will set off a high-confidence alert. Alerts are high accuracy that detect attacks unseen by other cyber defense mechanisms.
Alternate technologies spend many CPU resources filtering traffic, trying to match signatures or guess at signatures, or worse yet, run complex black box algorithms to try and cluster behavior against some model or another. In the final analysis, these black box approaches are based on probability. Either the rules are so tight that a target may be missed, or the rules are so loose that so many alerts are produced such that they become virtually useless.
That in itself is a major difference!”