What is Deception Tech (DT)?

Deception tech is active defense security tooling that lures attackers into exposing their position which allows you, the defender, the opportunity to become proactive in your defense responses.  This has become more popular over time, but especially recently because of the MITRE SHIELD "Active Defense" framework.

What is it not?

If designed and deployed correctly, deception tech is not "another machine to manage".  It is also not an opportunity for an attacker to gain a foothold via a machine that was intentionally left vulnerable. Last, it is not "hacking back".

Why should you care?

The practice of deceiving an adversary is not new. This concept is as old as warfare itself; we even pay homage to this idea in our modern security practice by referring to malware that hides its true intention as a "Trojan Horse".  It’s a very effective tactic and for this reason it’s a tactic that every organization should consider adding to their security playbook.

History of DT

Cliff Stoll is credited with the first implementation of deception tech in 1986 while working at the Lawrence Berkeley National Lab.  Cliff was asked to figure out why there was a discrepancy in the amount of time used and the amount of money collected (at the time the computing resource was rented out to remote users).  During his investigation, he discovered the time was used, but not paid for, because of a contracted KGB hacker that was pillaging the labs data.  In 1989 Stoll published his memoirs of this activity, in his first book "The Cuckoos egg"

It took a few years but by 1998 the idea of DT was starting to get rolling, and by this point there were products like the Deception Toolkit and Cybercop Sting marking the availability of commercial products in the deception market.

By the early 2000's DT was almost exclusively focused on the deployment of low-interaction honey pots (emulating Windows and Linux endpoints).

Examples of DT

As the 2000's progressed however, the very definition of DT begun to evolve. Various traps (honey tokens) began to see deployment.  From "Honey users" to "Honey credentials", these tokens (you can think of the use of the word token as a place holder) are like adding different kinds of bate mean to lure and "trap" an attacker.

We are now seeing DT include the classic definition, a honeypot that emulates a server or workstation as well as the integration of more modern DT concepts like the Honey tokens.

The next (evolutionary) step might be deploying DT in novel ways, like what we are seeing from Allure Security where they actively hunt the internet for websites that are attempting to deceive your customers then 'feed' these website 'fake credentials' making the real credentials that may be stolen less valuable.