Cybercrime is expected to cost $6 trillion globally by 2021—twice what it cost in 2015—according to the “2016 Cybercrime Report” from Herjavec Group.[1] A Cybersecurity Ventures report for Q1 2017 further predicts that global spending to thwart cybercrime will exceed $1 trillion annually between 2017 and 2021.[2] That’s not chump change. And those cost estimates might be low, considering that individual PCs are no longer the primary target for cybercriminals as they turn more and more of their attention to smart cars, the power grid, and enterprise data centers.

What is a corporate enterprise to do? Everything possible, that’s what—including embracing the emerging technology of cyber deception. Cyber deception is an added strategy for a company’s cybersecurity arsenal. Current deception technologies take over once an attacker has gained access to the network—once firewalls, anti-malware, intrusion detection, and prevention have failed—and hopefully before there’s a need to recover from an attack.

Think of a house. A burglar breaks in. Once inside, he sees a room full of jewels and fine artwork. He thinks he’s hit the jackpot. Little does he know, though, that he’s not in the real house, but in a fake room. Also, his entrance has been detected, his strategy recorded, his identity is possibly being researched, and, oh yeah, those jewels are all cheap costume jewelry and the paintings all forgeries—and bad ones at that. Not only does he get away with nothing of value, but his entry could lead to his capture.

That’s one of the ways cyber deception works: fooling prospective cybercriminals into thinking they’ve successfully infiltrated the network, when, in fact, they’ve only infiltrated a decoy with nothing real to steal. Other cyber deception tactics—called network threat deception—fool the attacker into thinking a network is either a less desirable target or more protected than it seems to be, leading to his abandoning the attack before it begins.

Show Me the Honey—the History of Cyber Deception

Threat deception or cyber deception isn’t new. It’s been around for a few decades. Initial efforts to thwart attacks were known as honeypots. Honeypots were servers or other systems that lured attackers away from valid production systems by appearing to be easy targets for cyber attackers’ efforts. Additionally, the servers used logs or traces to track cyber attack attempts. Information gathered could then be used to thwart future attacks and potentially catch the cyber attacker. Honeypots were more about detection rather than deception, which aims instead to make the attacker think his attack has succeeded when it actually hasn’t—much like our burglary analogy—or to lure the attacker to decide not to attack at all. Think back to our burglar. He skips the house he was originally going to rob because the door is locked and there’s a “protected by X security company” sign out front. There’s also a bright street light. He moves on to the next street and leaves the original house untouched.

The Evolving Cyber Deception Landscape

Just as the technology of computing continues to evolve, so too is cyber deception evolving. Gartner published its “Emerging Technology Analysis: Deception Techniques and Technologies Business Opportunities” report initially in July of 2015, and again with updates in September 2016.[3] In the report, Gartner notes that the honeypot lives on, but has evolved to incorporate distributed decoy systems that “include use of both emulated/virtualized and real endpoint decoy systems, as well as network services, protocols, applications or fake data elements.” Gartner advocates four layers or styles of deception—network, endpoint, application, and data—and lists 15 different deception providers that cover one or more of these styles.

From Honeypot to Tar Pitting

One network threat deception provider not listed in Gartner’s report that recently came to our attention at Prowess Consulting as part of our work on the Intel Builders Program is Sandvine. The Sandvine Network Security product is targeted at communications service providers and offers all four of Gartner’s recommended styles of protection. Its QuickSand feature with SandScript capabilities deceives attackers with:

  1. Tar pitting, which fools the attacker into thinking an attack is progressing when it’s not
  2. Dynamic vulnerability masking, which uses SandScript to fool attackers into thinking servers that are running outdated software are actually running current versions and therefore not “attackable”

Other deception technologies rely on decoys that, much like honeypots, appear identical to production systems and force attackers to reveal themselves. Some decoys or deception servers simply lure attackers in and away from valid network or data-center resources. Other deception servers lure attackers in, trap the attack, and analyze. These methods often include the ability to self-heal by destroying an infected VM and replacing it with a new, uninfected one. Either a full operating system or an emulated operating system and the services it runs can be used to engage an attacker.

Machine Learning and the Future of Cyber Deception

It’s hard to think about cyber deception without thinking about the role machine learning might play. And providers are already thinking about it. At the 2017 RSA conference, illusive networks, a cybersecurity company in Israel, announced the introduction of a platform that uses machine learning to identify attack paths and create deception tactics in real-time.

With the potential tactics and technologies that cyber deception could use, the possibilities will continue to evolve and be refined. No doubt, cyber criminals will adapt, and the dance of cybercrime, prevention, and deception will continue.

Find More

You might also enjoy a few of our previous posts on cybersecurity:

And don’t forget to follow us and our growing communities on LinkedIn and Twitter.


[1] CSO. “Top 5 cybersecurity facts, figures, and statistics for 2017.” December 2016.

[2] Cybersecurity Ventures. “Cybersecurity Market Report.” 2017.

[3] Gartner. “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities.” September 2016.

Share this: