Deception Technology Gains Some Traction in IndiaSecurity Practitioners Weigh In On the Benefits of Using the Technology
As India's CISOs grapple with the challenge of improving the accuracy and speed of breach detection, some pioneers are beginning to use deception technology to track the movements of intruders.
Several banks, including HDFC, ICICI and Kotak, are using deception technology, especially when it comes to protecting their SWIFT servers, safeguarding their ATMs and protecting their card holder details, according to sources who did not wish to be identified.
Deception technology has evolved from honeypots to more sophisticated systems that can track intruders' movements. The technology has been commercialized over the last few years as a separate product line, and Gartner expects that about 10 percent of companies that sell IT products and services will add deception technology to their product lines in 2018.
"Deception technology can form the proverbial last line of defense when all other prevention technologies have been bypassed," says Felix Mohan, CEO at CISO Cybersecurity, an advisory firm. "Secondly, the accuracy of [newer] detection technologies is far greater than [older] detection technologies. For one, the false positives are lot less."
Some security experts predict that more critical information infrastructure owners in India will deploy deception technology this year.
So what makes today's deception technologies better than earlier generations?
"Earlier, it was about creating honeypots and layer more attackers into that. However, these solutions were network-centric and did not concentrate much on end points," says Sapan Talwar, CEO at Aristi Ninja, a digital security company. Plus, he contends that the earlier version of deception technology was more detectable than the current, more sophisticated versions of the technology.
"Today's deception technology is more focused on Active Directory, where it can create a perceived AD environment," he says. "This allows it to capture each and every step an attacker is taking in real time."
Another advantage of newer deception technology is that it helps in detection of lateral movement of hackers and intruders long before an attack takes place.
"With the right set of tools, technologies and skill sets of people monitoring such technologies, one would know when the intruder gets into the restricted parts of the network," says C.N. Shashidhar, founder of SecurIT Consultancy. "It can be a relatively low-cost but effective method to discover breaches at an early stage and take countermeasures."
A CISO of an Indian financial institution, who asked not to be named, says there are areas where deception technology excels, which compelled him to deploy it in his organization.
"It can be particularly useful to get instant forensics when an attack is taking place, which helps in addressing the threat," the CISO says. "Moreover, by providing almost zero false positives, it helps eliminate the noise associated from an attribution and administrator's perspective."
Deception technology can also act as a deterrent. "Advanced attackers tend to be very particular about not being exposed," Mohan says. "So if they get an inkling that in a particular network deception technology is deployed, it automatically puts them on the slow mode. So therefore, we are slowing down attacks."
The technology also aids in developing internal threat intelligence because when an attacker engages with a decoy, the organization can study the intruder's activity. "This can be passed on to platforms like SIEMs for taking a response action," Mohan says.
Sahir Hidayatullah, CEO at Smokescreen, a security company, offers a real-world example of deception technology in action.
"We plugged in deception technology in a large bank, which had put every possible security measure in place," he says. "However, within a day we got hit by multiple ATMs which were infected. When they dug through their SIEM, it was found that this activity was buried under other incidents. It was lost in the noise so there was no visibility." But when these ATMs were trying to infect other decoy systems, it was easily identifiable, he adds.
Jagdeep Singh, CISO at Rakuten India, an e-commerce firm, says the success of deception technology depends on how it's implemented and how the organization responds to alerts.
"It is unreasonable to say attackers will never get to know they are being deceived," Singh says. However, since deception makes things slower for attackers, organizations can buy time to fix its defenses, he says.
"So the effectiveness of organization's incident response is utmost critical for the success of such technologies."
Among the challenges in implementing deception technologies is making sure the decoys used look authentic. "If this isn't authentic, decoys can be fingerprinted. Having said that, it's not easy to make something look authentic," Mohan says. "Also, decoys need to be changing in time to match what's happening in the network."
Then there is the challenge of leading the attacker to the decoy.
"While you have decoys in your networks, the question is how many of them can you deploy? So you would have limited decoys at certain points in your network," Mohan says. "But the networks of organizations have scaled to different dimensions. So now we have to put decoys in IoT devices, cloud and containers."
And because decoys are connected to platforms, including SIEMs, some security practitioners fear that under certain circumstances, the attackers could work their way through from a compromised decoy into these platforms.
A Long Way to Go
Although some pioneering banks and other institutions in India have implemented deception technology, the rollout is still in its early stages.
"There is a lack of proper understanding and clarity about threat deception. A lot more education has to come through," Singh says.
"Also, organizations are still working with the resources they have to strengthen their basic defenses. This leaves little scope to push the executives with the business case for deception, as there is a strong feeling that resources should be invested in prevention. So deception technologies come at the end of the priority list."