Today, almost all organizations have a defense grid of firewalls, IDS/IPS, and SIEMs. This baseline grid will soon include advanced cyber deception elements as well.
A Gartner research study predicts that by 2018, 10% of enterprises will use cyber deception tools and tactics – and actively participate in deception operations against attackers. As we see it, there are several good reasons why this prediction will come true.
Leveraging attacker behavior
We believe that this prediction is based on the current capabilities and future potential of cyber deception; when defenders focus on the attackers themselves and not just their tools, the defense plan becomes as dynamic as the attackers, finally giving defenders the upper hand.
Modern cyber deception tactics allow defenders to increase the opponent’s operational risk and the price of failure. Once deception elements are placed throughout the organization, attackers need to be on guard with every step they take. They must carefully calculate whether the trail they are following, and the target they are moving toward, are at all real – or a carefully conceived trap designed to ensnare them.
Even well-funded organized crime and state actors often have budget and time considerations. Cyber deception can significantly slow down an attacker, and can help ensure that intercepted advanced malware cannot be used again because it has been identified and fingerprinted.
Another advantage that cyber deception gives companies is ease of mitigation: Advanced attackers use more and more methods to cover their tracks, making mitigation and forensic investigation much more complicated. They do so to make sure their malware can be used for as long as possible; so even if it’s detected on a specific network, it can remain active on other targets. Cyber deception tactics can give the defender a complete image of the attack process: tool samples, lateral movement angles, and more. This large amount of data could be shared between industries, in order to evolve the defense grids faster than before.
In the future, organizations themselves will take part in deception operations, with the goal of catching attackers and preventing them from further carrying out their attacks. For example, think about state-generated APTs; many of these target several industries and use the same malware. If just one company catches the attacker, the entire operation’s tools and tactics will be exposed.