Tis the season to make predictions for 2024, so here’s one of mine: Deception technology will become more pervasive in 2024 and become a security operations staple by the end of 2025.
Now, there are two common counterpoints I often hear from deception technology skeptics. First, many cybersecurity pros say they’ve heard this prediction before, and it hasn’t panned out. Others claim that deception technology is constrained to the elite of the elite organizations. In fact, many dismiss it as something reserved for threat analysts working at GCHQ, NSA, or threat intelligence specialists like CrowdStrike, Mandiant, and Recorded Future. The term “science project” often comes up.
Deception technology trends
Alas, these are legitimate points, but I firmly believe that several cybersecurity and general IT trends are converging into a perfect storm bound to greatly simplify deception technology, bring it to the mainstream. These trends include:
- Security data lake deployment: Enterprises are implementing massive security data repositories from AWS, Google, IBM, and Snowflake. Deception technologies will continuously analyze this data to better understand normal and anomalous behavior. This data will serve as a baseline for deception models.
- Cloud computing: Deception models will require oodles of resources for on-demand processing and storage capacity. It’s likely that deception technologies will be offered as SaaS or a cloud-based services that sits on top of existing security operations technologies. In this way, deception technology will come to the masses.
- API connectivity: Aside from security data lakes, deception technology will plug into IaaS, asset management systems (or what Gartner calls cyber asset attack surface management), vulnerability management systems, attack surface management systems, cloud security posture management (CSPM), etc. This connectivity allows deception systems to get a full picture of an organization’s hybrid IT applications and infrastructure.
- Generative AI: Based on large language models (LLMs), generative AI can “generate” authentic looking decoys (i.e., fake assets), lures (i.e., fake services), synthetic network traffic, and breadcrumbs (i.e., fake resources placed on real assets). These deception elements can be deployed strategically and automatically across a hybrid network in great volumes.
How deception technology might work in the future
These trends provide the technical foundation for advanced deception technologies. Here’s a synopsis of how the system might work:
- The deception system plugs into multiple IT scanning/posture management tools to “learn” everything it can about the environment – assets (including OT and IoT assets), IP ranges, network topologies, users, access controls, normal/anomalous behavior, etc. Advanced cyber-ranges can do some of this already. Deception systems build upon this synthetic environment.
- Based on an organization’s location and industry, the deception system will analyze and synthesize cyber-threat intelligence looking for specific adversary groups, threat campaigns, and adversary tactics, techniques, and procedures (TTPs) that typically target such firms. Deception systems will be anchored by various MITRE ATT&CK frameworks (cloud, enterprise, mobile, ICS, etc.) to obtain a granular perspective on adversary TTPs. The deception elements are meant to confuse/fool them at every step of a cyberattack.
- The deception system will then examine the organization’s security defenses – firewall rules, endpoint security controls, IAM systems, cloud security settings, detection rules, etc. It can then use the MITRE ATT&CK navigator to discover coverage gaps. These gaps are perfect landing spots for deception elements.
- Generative AI models take in all this data to create customized breadcrumbs, decoys, lures, and canary tokens. An organization with 10,000 assets under management will instantly look like a telco, with hundreds of thousands or even millions of applications, data elements, devices, identities, and so on – all intended to draw in and confuse adversaries.
It’s worth mentioning that all scanning, data collection, processing, and analysis will be continuous to keep up with changes to the hybrid IT environment, security defenses, and the threat landscape. When organizations implement a new SaaS service, deploy a production application, or make changes to their infrastructure, the deception engine notes these changes and adjusts its deception techniques accordingly.
Unlike traditional honeypots, burgeoning deception technologies won’t require cutting-edge knowledge or complex setup. While some advanced organizations may customize their deception networks, many firms will opt for default settings. In most cases, basic configurations will sufficiently confound adversaries. Remember, too, that deception elements like decoys and lures remain invisible to legitimate users. Therefore, when someone goes poking at a breadcrumb or canary token, you are guaranteed that they are up to no good. In this way, deception technology can also help organizations improve security operations around threat detection and response.
Some final thoughts:
- Deception technology is especially appealing within industries like healthcare and manufacturing that use a lot of OT/IoT technologies incapable of hosting a security agent. By emulating OT/IoT devices, they can cloche real production devices.
- Deception technology will work hand-in-hand with detection engineering. In fact, I can see how generative AI could create deception elements AND companion detection rules simultaneously.
- I mentioned the MITRE ATT&CK framework as part of the model. Deception technology will also lean on MITRE Engage, a framework and community for cyber-deception. It’s likely that vendors and MITRE will end up working together on Engage and commercial implementation.
- While each organization will have their own deception profile, I can imagine industry organizations like ISACs getting involved to fine-tune models and improve protection industrywide.
If I were a younger man, I’d drive to Boston, grab some money from local VCs, and hire a bunch of MIT students to build a modern deception system myself. I predict some similar independent efforts but ultimately, deception technology will piggyback on top of other security operations systems. Fortinet and Zscaler are already pursuing this approach, I expect others to follow suit.