The use of deception as a weapon has been around since the dawn of warfare, and certainly since Sun Tzu helped to define it in about 500 BC in his famous book The Art of War. In terms of modern cybersecurity, deception has also always been an option, though it was a bit clumsy when used to trick attackers into expending time and resources against bogus network assets. The original device deployed as bait in a deception defense was the honeypot, a single server or client machine loaded with seemingly tempting information like fake credit card numbers that admins hoped hackers would bite on, leaving real assets alone.
Named after the vessel in which children’s book character Winnie the Pooh famously got his head stuck, the problem with network honeypots is that they are an extremely passive defense, relying on attackers to somehow find them and give them preference over actual production systems. The other problem with honeypots is that unless they are closely monitored by defense teams ready to quickly react to attacks, they don’t do much more than buy a little time.
Because honeypots generally have no interaction with real network assets, there is no activity trail for attackers to follow. By contrast, authorized users interacting with actual resources leave a large trail of activity behind in areas like browser histories and log files. Smart attackers know how to find and follow those trails back to actual assets … and ignore honeypots.
In fact, attackers must find those trails left behind by authorized users in order to move undetected through a network. Even if they use a phishing attack or similar technique to compromise a lone endpoint, they are still blind to the topography of the overall network. The old technique of doing a port scan to locate nearby assets will be flagged almost immediately by even the most modest of defenses. Instead, they must search their compromised local asset to figure out where to go next and how to blend in with real traffic…