Deception technologies, over the last three-ish years, have come into vogue; with more than a dozen commercial vendors and close to a hundred open source products available to choose from. Solutions range from local host canary file monitoring, through to autonomous self-replicating and dynamic copies of the defenders network operating like an endless hall of mirrors.
The technologies employed for deception purposes are increasingly broad – but the ultimate goal is for an attacker to be deceived into tripping over or touching a specially deposited file, user account, or networked service and, in doing so, sounding an alarm so that the defenders can start to… umm… well…, often it’s not clear what the defender is supposed to do. And that’s part of the problem with the deception approach to defense.
I’m interested, but deeply cautious about the claims of deception technology vendors, and so should you be. It’s incredibly difficult to justify their expense and understand their overall value when incorporated in to a defense in depth strategy.
There have been many times over the last couple of decades I have recommended to my clients and businesses a quick and dirty canary solution. For example, adding unique user accounts that appear at the start and end of your LDAP, Active Directory, or email contacts list – such that if anyone ever emails those addresses, you know you’ve been compromised. And similar canary files or shares for detecting the presence of worm outbreaks. But, and I must stress the “but”, those solutions only apply to organizations that have not invested in the basics of network hygiene and defense in depth.
Honeypots, Honeynets, canaries, and deception products are HIGHLY prone to false positives. Vendors love to say otherwise, but the practical reality is that there’s a near infinite number of everyday things that’ll set them off – on hole or in part. For example:
- Regular vulnerability scanning,
- Data backups and file recovery,
- System patching and updates,
- Changes in firewall or VPN policies,
- Curious employees,
- Anti-virus scanners and suite updates,
- On-premise enterprise search systems,
- Cloud file repository configuration changes and synchronization,
This is a Security Bloggers Network syndicated blog post authored by Gunter Ollmann. Read the original post at: Technicalinfo.net Blog