Deception using Distributed Threat Detection

What is claimed is: 1 . A method by an enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the method comprising: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network, the deception point: getting the data packet; emulating an application providing the service; producing a response to the data packet using the emulating and the data packet; and providing the response to the first workload such that the response appears to originate from the second workload. 2 . The method of claim 1 , wherein the deception point is at least one of a bare-metal server and virtual machine. 3 . The method of claim 1 , wherein the deception point further performs a method comprising: getting an image for an application; creating an instance of the application in a container using the image, the creating including: producing the container using the image; allocating a filesystem of a host operating system to the container; adding a read-write layer to the image; and launching a process specified by the image; and monitoring behavior from the processing, the monitoring including intercepting library calls, function calls, messages, and events from the container. 4 . The method of claim 1 , wherein the redirecting includes using a tunnel to forward the data packet to the deception point. 5 . The method of claim 1 , wherein the determining includes comparing the at least some of the 5-tuple of the data packet to a low-level rule set. 6 . The method of claim 5 , wherein the low-level rule set is produced using a high-level policy. 7 . The method of claim 1 , wherein the determining comprises analyzing the data packet using predefined attack signatures. 8 . The method of claim 1 , wherein the providing the response to the first workload includes sending the response through the enforcement point. 9 . The method of claim 1 , wherein the providing the response to the first workload includes using network address translation to send the response. 10 . The method of claim 1 , wherein the first data network and the second data network are in the same logical subnetwork and in different physical networks. 11 . An enforcement point, the enforcement point communicatively coupled to a first data network and a second data network, the enforcement point not providing services in the second data network, the enforcement point comprising: at least one hardware processor; and a memory coupled to the least one hardware processor, the memory storing instructions executable by the least one hardware processor to perform a method comprising: receiving, from a first workload in the second data network, a data packet addressed to a second workload in the second data network, the data packet requesting a service from the second workload; determining the data packet is for unauthorized access of the second workload, the determining using at least some of a 5-tuple of the data packet; identifying a deception point using the service, the deception point being in the first data network and including a decoy for the service; and redirecting the data packet to the deception point in the first data network, the deception point: getting the data packet; emulating an application providing the service; producing a response to the data packet using the emulating and the data packet; and providing the response to the first workload such that the response appears to originate from the second workload. 12 . The enforcement point of claim 11 , wherein the deception point is at least one of a bare-metal server and virtual machine. 13 . The enforcement point of claim 11 , wherein the deception point further performs a method comprising: getting an image for an application; creating an instance of the application in a container using the image, the creating including: producing the container using the image; allocating a filesystem of a host operating system to the container; adding a read-write layer to the image; and launching a process specified by the image; and monitoring behavior from the processing, the monitoring including intercepting library calls, function calls, messages, and events from the container. 14 . The enforcement point of claim 11 , wherein the redirecting includes using a tunnel to forward the data packet to the deception point. 15 . The enforcement point of claim 11 , wherein the determining includes comparing the at least some of the 5-tuple of the data packet to a low-level rule set. 16 . The enforcement point of claim 15 , wherein the low-level rule set is produced using a high-level security policy. 17 . The enforcement point of claim 11 , wherein the determining comprises analyzing the data packet using predefined attack signatures. 18 . The enforcement point of claim 11 , wherein the providing the response to the first workload includes sending the response through the enforcement point. 19 . The enforcement point of claim 11 , wherein the providing the response to the first workload includes using network address translation to send the response. 20 . The enforcement point of claim 11 , wherein the first data network and the second data network are in the same logical subnetwork and in different physical networks.