Tis the season to make predictions for 2024, so here’s one of mine: Deception technology will become more widespread in 2024 and become a staple of security operations by the end of 2025.
Now, there are two common counterpoints I often hear from scam tech skeptics. First, many cybersecurity professionals say they’ve heard this prediction before, and it hasn’t panned out. Others argue that deception technology is limited to the elite of elite organizations. Indeed, many dismiss it as something reserved for threat analysts working at GCHQ, the NSA or threat intelligence specialists such as CrowdStrike, Mandiant and Recorded Future. The term “science project” comes up often.
Deception technology trends
Alas, these are legitimate points, but I firmly believe that several cybersecurity and general IT trends are converging into a perfect storm that is bound to greatly simplify deception technology and bring it into the mainstream. These trends include:
- Security data lake implementation: Enterprises are deploying massive security data stores from AWS, Google, IBM and Snowflake. Deception technologies will continuously analyze this data to better understand normal and abnormal behavior. This data will serve as a baseline for fraud models.
- Cloud: Deception models will require lots of resources for on-demand processing and storage capacity. It is likely that fraud technologies will be offered as SaaS or a cloud-based service that sits on top of existing security operations technologies. In this way, fraud technology will come to the masses.
- API connection: Apart from security data lakes, fraud technology will connect to IaaS, asset management systems (or what Gartner calls cyber asset attack surface management), vulnerability management systems, attack surface management systems, cloud security posture management (CSPM), etc. This connection allows fraud systems to get a complete picture of a organization’s hybrid IT applications and infrastructure.
- Generative AI: Based on large language models (LLMs), generative AI can “generate” authentic-looking decoys (ie, fake assets), lures (ie, fake services), synthetic network traffic, and breadcrumbs (ie, fake resources placed on real assets). These fraudulent elements can be deployed strategically and automatically across a hybrid network in large volumes.
How deception technology might work in the future
These trends form the technical basis for advanced deception technologies. Here’s an overview of how the system might work:
- The fraud system connects to multiple IT scanning/position management tools to “learn” everything it can about the environment – assets (including OT and IoT assets), IP ranges, network topologies, users, access control, normal/abnormal behavior, etc. Advanced cyber series can already do some of this. Deception systems build on this synthetic environment.
- Based on an organization’s location and industry, the fraud system will analyze and synthesize cyber threat intelligence looking for specific adversarial groups, threat campaigns, and adversary tactics, techniques and procedures (TTPs) that typically target such firms. Deception systems will be anchored by various MITER ATT&CK frameworks (cloud, enterprise, mobile, ICS, etc.) to achieve a detailed perspective on adversarial TTPs. The deception elements are meant to confuse/fool them at every step of a cyber attack.
- The fraud system will then examine the organization’s security defenses – firewall rules, endpoint security controls, IAM systems, cloud security settings, logging rules, etc. It can then use the MITER ATT&CK navigator to detect coverage gaps. These holes are perfect landing spots for fraudulent elements.
- Generative AI models take all this data to create customized breadcrumbs, decoys, decoys and canary tokens. An organization with 10,000 assets under management will instantly look like a telco, with hundreds of thousands or even millions of applications, data elements, devices, identities, and so on—all designed to draw in and confuse adversaries.
It is worth mentioning that all scanning, data collection, processing and analysis will take place continuously to keep pace with changes in the hybrid IT environment, security defenses and the threat landscape. When organizations deploy a new SaaS service, deploy a production application, or make changes to their infrastructure, the fraud engine notes these changes and adjusts its fraud techniques accordingly.
Unlike traditional honeypots, emerging fraud technologies will not require cutting-edge knowledge or complex setup. While some advanced organizations can customize their fraud networks, many firms will opt for default settings. In most cases, basic configurations will sufficiently confuse opponents. Also, keep in mind that fraud elements such as decoys and decoys remain invisible to legitimate users. Therefore, when someone goes and pokes a breadcrumb or canary token, you are guaranteed that they are up to no good. In this way, fraud technology can also help organizations improve security operations around threat detection and response.