It is often stated that “defenders need to be right 100% of the time while attackers only need to be right once.” Although this statement isn’t technically true, it does articulate the problem defenders face. Mistakes rarely hurt attackers, but they can cripple defenders. It’s time to turn that paradigm on its head. All it takes for defenders to take back the advantage is for the attacker to touch one deceptive resource. With deception, the attackers now need to be right 100% of the time to avoid detection, while the defenders must be right only once. Deception technologies give organizations the capability of creating better detection capabilities at every “layer,” as well as giving them better insight into attacks that are being executed in their environment—all while limiting the damage the attacker can do. To be truly effective, deception is not something you can simply throw on your network in an afternoon. Particularly with commercial solutions, the technology is fairly simple, but it must be implemented with a designed intent.
For this to happen, organizations must:
- Understand their goals and objectives when it comes to deception
- Understand their current technological infrastructure
- Understand attacker techniques, tactics and methods
- Design their deception solution by incorporating the identified goals, technology and attacker tactics
- Implement and test the solution
- Review and update the solution on a regular basis to address new considerations, constraints, goals and tactics.
Download the complete SANS analyst guide and learn how deception technologies can significantly improve an organization’s capabilities to swiftly and accurately detect attackers, while at the same time collect sufficient threat intelligence and attack attribution information to improve response effectiveness.
Kyle Dickinson teaches SANS SEC545: Cloud Security Architecture and Operations and has contributed to the creation of other SANS courses. He is a cloud security architect for one of the largest privately held companies in the United States. As a strategic consultant in his organization, Kyle partners with businesses in various industries to better understand security and risks associated with cloud services. He has held many roles in IT, ranging from systems administration to network engineering and from endpoint architecture to incident response and forensic analysis. Kyle enjoys sharing information from his experiences of successes and failures.