SAN FRANCISCO -- Deception defense is not particularly novel, given that network honeypots have been around almost as long as the internet, but as more infrastructure moves to the cloud, an active deception defense for cloud environments takes the old approach to new heights.
Active deception defense is a key feature of the release of Fidelis Deception, as part of the Elevate platform, announced this week by Fidelis Cybersecurity at the 2018 RSA Conference, the automated detection and response provider based in Bethesda, Md. Adapting the honeypot approach but with some twists for the cloud, Fidelis enabled the use of active decoys to lure attackers away from enterprise resources by spreading "breadcrumbs" -- crafted files placed on endpoints that appear to point to fileservers or other network services, where the IP addresses actually lead intruders to decoy systems that divert and distract them while defenders are able to respond to the intrusion.
Tim Roddy, vice president of cybersecurity product strategy for Fidelis Cybersecurity, said that, while the new feature may seem like just another old-fashioned honeypot, the new cloud decoys "are the next generation beyond that, and that's why we call it 'active deception.'" While the decoys appear to be behind an IP address that looks like a fileserver, a Sharepoint server, some other asset or even an end user, it's actually a sort of active honeypot.
The difference, Roddy explained, is that, while "honeypots usually just sit there, hoping someone stumbles upon them," the Fidelis decoys "do things that will help lead the intruder to them. For example, we'll put breadcrumbs for the asset, which are basically small files on endpoints that might have the IP address in a web browser cache as if the user had visited it. Because, when they're mapping out your network, they're going to go look at endpoints and see what do people have cached? What are the URLs? What are the IP addresses?"
The idea is that, when intruders first enter a network, they will attempt to see what systems they can access; placing the decoy IP addresses in endpoint system cache files means that the intruder believes that they are valid systems. At the same time, legitimate users won't be affected at all.
"Any other average user is not going to do that, because they're not in there looking at it, so that helps make this more intelligent and a more active way of handling decoys in order to get them to be noticed by the intruder without doing it glaringly obviously," Roddy said.
"The decoy will interact with the intruder, so if it's a file system, for example, it will give a response back that you would expect from that type of device, to keep them involved and go back and forth. If an intruder sees a file system, they're going to want to do a directory lookup … so it will mimic that type of thing to keep them busy and distract them."
The cloud market may be ripe for active deception in the cloud. "Deception is relatively newly adopted, and we think, it's only maybe 5% or 10% of the market has adopted deception in their networks," Roddy said, while noting that the new active deception feature adds "to the toolkit that security practitioners have to protect and identify when they've had a compromise and determine that fact faster, before the breach actually happens."