In the past decade we have seen cybersecurity companies releasing new products under the category of “deception technology.” For industry veterans, these solutions sound a lot like honeypots. Honeypots are in fact an early form of deception technology, back before there was a category name for it.
Honeypots and deception technology appliances share the same principle of deceiving a threat actor and luring them in to infiltrate what appears to be a production device. This allows a supporting cybersecurity team to study the imposter’s behavior and learn how to better protect against their attack methodologies. While the two have more in common than not, there are distinct differences between them, and it’s important to understand how they differ.
Deploying and maintaining a honeypot is a manually intensive process. A honeypot deploys like any other physical or virtual server, making it time-consuming to implement and manage.
In contrast, a deception technology solution includes some type of controller that deploys and manages a fleet of decoys, otherwise known as honeypots. Hundreds or even thousands of decoys can be deployed with the click of a mouse into designated areas of the network. In most cases, a single decoy template is configured and then used to employ decoys throughout the network.
Because honeypots are dispersed few and far between across the network, they can only cover a small part of the IT estate, so a threat actor must either be lured into it or accidently stumble across it. This method relies on a certain amount of luck to be effective and catch an unwanted perpetrator snooping around.
Deception technology solutions can implement decoys at significant scale, creating what can be described as a “hall of mirrors” because there are so many. This can ensure that every site and subnet within your enterprise can be monitored for threats. The downside is that the more decoys that have been deployed, the more false positive alerts they may generate, possible leading to “alert fatigue.”
Honeypots are often used in specialized circumstances. You might deploy a honeypot to emulate a highly targeted system such as a financial services database to catch a hacker trying to capture user credentials or personal information.
Modernized deception technology solutions, on the other hand, can emulate just about anything, including servers and endpoints running multiple operating systems, network appliances, and IoT devices such as point-of-sale systems and medical devices. You can fire up a fake domain controller, application, desktop device, or file server at will.
Honeypots operate in a decentralized fashion, and require cybersecurity personnel to swivel between units.
Decoys are managed through a central appliance or portal, which simplifies the management process. You can have designated alert categories sent to your email or endpoint device, so you do not have to connect to the controller all the time.
A typical deception technology vendor provides technical support and consultation at purchase, which makes them an excellent choice for medium-sized organizations lacking the expertise to effectively operate a honeypot. A deception technology controller can also use telemetry data to learn about new types of attacks from deployments across the world.
One can think of deception technology as the next evolutionary step of the honeypot. While this new security solution type has distinct advantages over its predecessor, its important to remember that like honeypots, deception technology is only a piece of the puzzle that makes up an effective cybersecurity strategy.