How Deception is Going to Reshape Endpoint Security

Over the centuries, practitioners of war and politics could find a textbook retelling of the art of deception in the pages of the Iliad.

Homer’s timeless epic recounts how, after 10 years of military stalemate, the Greek host one day disappeared from the shores of Troy without leaving a trace - other than that giant wooden horse.

We all know what happened next.

Over the years attackers have deployed a variety of deceptive tactics to penetrate corporate networks. Recall that hacker Kevin Mitnick even wrote a book chronicling his serial exploits called “The Art of Deception.”

There’s a lesson for security practitioners. If attackers can use deception, why not defenders?

Locked in a years-long war of attrition with malicious hackers, a little trickery, properly employed, can mitigate the damage caused by an endpoint breach and help turn the tables on the bad guys.

Laying the Bait

As the threat constellation continues to develop in new directions, attackers are often able to escape the notice of existing defensive measures. For instance, intruders might gain access to an organization’s network by stealing user credentials or by exploiting tools that are already installed on targeted computers. These tactics often don’t rely on loading malware and don’t create new files on the device’s hard disk. All the more reason for new ways to shut down potential attack vectors they are using.

Deception technology at the endpoint constitutes a new way to turn the tables on attackers. Looked at another way, deception picks up where an organization’s other security technologies leave off, providing offensive tactics that can help uncover the presence of an attacker.

Cyber security deception first gathered momentum in the 1990s when organizations began deploying simple network “honeypots” to confuse malicious hackers. These honeypots were essentially fake lures deployed as counter-weapons. They would present a believable, isolated subnet – complete with phony credentials, databases, web servers, and vulnerable systems - that were usually good enough to fool novices, though not sophisticated attackers.

But deception also required a lot of time and expertise to deploy, manage and maintain. What’s more, adding deception to individual endpoints was complicated, especially within large, distributed environments where there were firewalls, proxies, network address translation or virtual private networks.

However, deception is now an integrated capability within the Symantec Endpoint Protection (SEP) family, allowing defenders to detect and identify attackers during the early stages of a breach. This not only offers enhanced visibility into attacker intent, but it offers organizations to deploy deception at scale. Indeed, Symantec is securing more than 175 million endpoints across the globe. Customers can now work with Symantec to turn on deception and deploy the high-interaction bait that is integrated in the SEP family to improve their attack detection.

You are collapsing the time that it takes to detect attackers from months to a matter of minutes. Deception offers a completely different way to deal with stealthy attacks. The challenge today is that the average time attackers may be on your network before they get detected is so long. You don’t know what they are doing while they may be carrying out reconnaissance of your entire infrastructure, or doing lateral movements mapping out your file structure.

Until now, infiltrators could quietly navigate through a victim’s network as they conducted reconnaissance. Sometimes this could last weeks, or even months. A recent Ponemon Institute report found that the average attacker spends 191 days on a network before they get detected.

But SEP gives organizations a way to trick attackers into giving up their locations. Security managers already know the location of their critical assets.

They can exploit that knowledge to dupe attackers by leaving fake assets for them to target. The more believable the fake asset, the better chance it has to lure an attacker into interacting with it instead of the real resources. These could be fake files, credentials, network shares, cache entries, or endpoints that entice attackers to come out into the open. In fact, an administrator can quickly and easily place a large amount of bait in their enterprise to deceive an attacker into revealing themselves.

Any engagement with these assets triggers an alarm that indicates the presence of an attack. At that point, system administrators can swing into action to block the intruder’s progress.

The challenge until now has always been how to make it easy for customers to deploy and the expertise which was required. Very highly-skilled customers and nation states were the ones who primarily used deception technologies before. We’ve solved that challenge and now we’re going to bring this capability to the masses.

For more information about deception technology, check out this Symantec white paper as well as our product page for more about Symantec Endpoint Protection 14 where you can learn more about our offerings.