Financial services companies are rediscovering a very old, and very effective, defense technique — deception technology, which is far simpler to use than it used to be.
In deception technology, an enterprise sets up a fake set of data (a honeypot) on a separate network. Cybersecurity experts can detect, track and defend against an attack without real data ever being affected.
“Use of deception through use of honeypot sensors as a detection measure has often been a security practitioner’s dream,” writes Gartner analyst Lawrence Pingree, “yet has been unattainable because the honeypot sensors of the past required too much administration, handholding and maintenance.”
Deception Works Best When It Looks Real
An effective honeypot contains layers and layers of subterfuge; the data has to look real, the server on which it lives has to look real, the webpage on which the faux data resides has to contain spreadsheets and documents that look like they’re being regularly updated, the apps connected with the data need to look operational.
“In this wave that we’re currently in, a lot of the realness is mostly automated. They’re using analysis technologies, and they use that to camouflage themselves to look like what’s around them. As the real assets to the left and right of it change, it will pick up on those changes and change itself,” says Eric Ahlm, a research director at Gartner. “That’s what’s making it be more broadly adopted.”
According to the most recent International Cyber Benchmark Index from the Neustar International Security Council, 1 in 5 companies are already using some sort of forensic tool to detect attackers, and nearly 1 in 3 are specifically using or would use deception technology to help protect against attackers.
Furthermore, 71 percent of them would “let hackers take the fake or booby-trapped document to gather counterintelligence — rather than shutting down an attack as soon as a bad actor engages with a deceptive file — in an effort to identify the thieves later or reveal information about the location, ownership and possible vulnerabilities of the hackers’ machines,” the report says.
That’s the beauty of a honeypot, Ahlm says; it can provide valuable counterintelligence as the attacker moves through the fake system.
“I want to know my attackers’ modus operandi. I want to know their assets, I want to know what they have of mine and how they’re using it against me. Deception’s a good tool for that. Once I have the elements of what they have, I can go back and see when it’s been used before against me. It’s great intelligence.”
The Best Use Cases for Deception Technology
A white paper by Illusive Networks outlines three potential use cases for deception technology:
- Preventing wire transfer fraud by creating fake SWIFT environments for secure financial messaging that attackers can probe and thus reveal themselves;
- Defending legacy environments (such as the mainframes that support many credit card transactions) that are difficult to secure and monitor;
- Tracking the potential gaps that occur during mergers and acquisitions as companies consolidate their networks, employees may grow disgruntled and the IT environment changes rapidly.
The technology works well no matter the size of the financial services company, says Ahlm. Large companies appreciate the intelligence gained from being able to watch how attackers work; smaller companies find deception appealing because it frees IT workers from having to investigate every alert. Basically, if someone’s in the honeypot, they don’t belong on the network.
“There are nearly no false positives. Customers are looking for efficiency,” he adds. “Deception is nifty because it appeals to customers across the spectrum. It’s pretty easy to use, and it’s a good use of your time when it alerts you.