How to Move from Honeynets to “Deception Networks”

7 points

7 years ago

This is a follow up article to Dr. Stephenson's introduction of the Deception Network a next generation security stack that lets you alert on potential malicious activity while protecting your enterprise and capturing forensic evidence at the same time.

https://mixmode.ai/blog/sc-magazine-beefing-up-your-next-generation-security-tool-set

He describes a Deception Network as the following:

"The idea behind a deception network is to allow the malcode’s emergent process to continue, monitor, analyze forensically and document it, while doing all of this without endangering the production network of the target. There are several ways to do that and each one has its proponents.

The oldest method is the honeypot or collections of honeypots called honeynets. These rather primitive tools lure the attacker into something that looks like a real network and then analyze the attacker’s behavior. The problem here is that most attackers have mechanisms to detect the presence of honeynets and avoid them.

Another method is to embed the deception network in the production network and lure the attacker into the deception network by making it indistinguishable from the production network while protecting the production network should the attack find his way in.

The third method is to overlay the deception network on the production network such that the attacker believes he is in a legitimate device – and, in a sense he is – and allow the attacker to attempt compromise with the deception network collecting data about the attack and guiding the attacker away from the production system into a safe /dev/nul environment."

(https://www.scmagazine.com/home/security-news/malware/next-generation-tools-deception-networks/)