Deception technologies such as honeypots are becoming increasingly popular with enterprises as the products get more flexible and the tools allow security analysts swamped with incident reports to zero in on cases of actual ongoing infiltration.
According to a report released in August by research firm Technavio, the deception technology market is growing at a compound annual growth rate of 9 percent, and is predicted to reach $1.33 billion by 2020.
The technology includes not only the traditional honeypots but also a new class of multi-layered, distributed endpoint decoys, according to Technavio analyst Amrita Choudhury.
Another research firm, TechSci Research, predicts a market size of $1.7 billion by 2021, with a CAGR of over 10 percent.
According to TechSci analyst Karan Chechi, the biggest growth areas for the technology include the financial services sector, retail, healthcare and government.
No false positives
Current security systems send up a lot of alerts, many of them false positives.
And the move to a new generation of systems based on machine learning isn't helping, said Lawrence Pingree, analyst at Gartner.
"Those kind of algorithms tend to have a lot more false positives than other approaches," he said. "I've sat in front of a SIEM with 5,000 alerts an hour, and I've had to triage that. That's an overwhelming data set."
A deception grid changes this dynamic.
"In a deception system, the alerts you get are very minimal, and any alert you get says that something is awry," he said. "It's an almost zero false positive solution. That's a huge win for security professionals."
He estimated that today's deception grid vendors are seeing between $25 million and $50 million in total annual revenues, and that the amount is growing by the double digits.
"It will be between $80 and $100 million globally in the next year or two," he added.
In addition to the core market for the tools themselves, related managed services are also growing, he added, due to a personnel shortage in the industry.
"You don't have false positives," confirmed Doron Kolton, CEO at TopSpin Security.
And if a company employee does end up at a decoy, that's a red flag.
"He shouldn't be doing that," said Kolton.
That means that an overworked security team, flooded by incident reports that may or may not lead to anything significant, can look at the honey traps first.
"You can use the deception grid in order to prioritize events in the incident stream," he said. "You can look at the other events that were triggered on the same endpoint."
Deception grids can also increase the costs for the attackers, by making them spend time chasing shadows around.
"You can place them in essentially a hall of mirrors," said Gartner's Pingree.
The longer the attacks take, the less money the cybercriminals wind up making, said Shogo Cottrell, security strategist at Hewlett Packard Enterprise.
A deception grid can also trick a hacker into going home with files that, at the end of the day, turn out to be full of useless data.
"It's been made up, or protected with encryption," he said.
Plus, a sticky trap can help an enterprise do a kind of competitive analysis on the enemy, see what targets they are looking for, and what techniques they are using, he added.
Flexible net of deception
A traditional honeypot is a particularly tasty file, database or server, one that just screams out to hackers that its full of delicious proprietary information, credit card numbers, login credentials and other goodies. The attacker finds it, tries to get into it, and alarms go off.
But the honeypot approach never really scaled to the enterprise level, said Gadi Evron, co-founder and CEO at Cymmetria. "It's very limited in what it can do, and when it comes to attackers with more sophisticated attacks, it fails miserably."
Anthony James, CMO at TrapX
The bait also has to be good enough to pass as a realistic target, not a fake prop.
"Attackers are smart enough to realize that something is a honey pot because it's a simulation, it's not real," said Dean Sysman, Cymmetria's co-founder and CTO.
And there have to be enough decoys for the attacker to be able to find them.
"You have to hope that they'll land on one or two fake decoys that sit near the real server," said Anthony James, CMO at TrapX, one of the leading vendors in the space.
The new approach is to cast a wider net, of more subtle traps.
"We want to create a large decoy surface area -- a cyber minefield field," said James.
TrapX, along with several other vendors in this emerging space, uses automation to create phony workstations, servers, databases, even medical devices, point of sale terminals and automatic teller machines.
Then TrapX lays a trail of breadcrumbs that leads them to the decoys. The breadcrumbs are only visible to attackers, who are using backdoor tools or command line interfaces to explore corporate networks.
"The real trick is that the legitimate user never sees these links," James said. "They're never stumbling on a trap and tripping the alarm."
Then the TrapX decoys keep the hacker on the hook, giving the security team time to respond.
For example, there might be a realistic-looking interface that gives a hacker three failed attempts, then lets them in on the fourth try.
"We have templates with fake files and directories that look like a real directory," he said.
And as real network resources change, the deception net can respond.
"The emulations are very agile," he said. "We can spin them up and spin them down, and move them with the network as it moves around. If they want to do it manually they can, or we have tools to automate it."
And here's a bonus pro tip for those setting up deception grids: Don't just stop at making your decoys look like real targets. Make the real targets look like decoys.
"Take an ordinary file server, and manipulate the server banner to advertise itself as a honeypot," said Sean Sullivan, security adviser at Helsinki-based F-Secure, which provides managed services for enterprise looking to outsource their deception grid oversight.
The same trick can be used against malware, he added.
"Malware does not want to run in a virtual machine, because it assumes it is being analyzed by malware researchers," he said. "But you can take a non-VMware machine and give it VMware registry keys and the malware sees those registry keys, thinks its a VMware machine, and kills itself."