Cyber deception creates environments and data that, by definition, shouldn’t exist, making it an excellent tool for finding attackers and monitoring their behavior without touching the real network. It’s also easily automated and scalable across thousands of endpoints with centralized management. With deception, adversaries must be right 100% of the time to succeed. A single mistake hands the defenders a win.
There are several types of deception technology. The best vendors will use a mix of technologies to confuse and distract adversaries as they try to figure out what is real and what is not. The more distractions, the less chance for attackers to find and exploit any vulnerabilities that they have found. Deception techniques should also be used at the endpoint, network, and application layers to be most effective. In espionage, Mata Hari-style spies lure enemy agents with honey traps that can steal information or divert them from their real targets. In computer security terms, a honeypot is a fake system that attracts cyberattacks by mimicking a valuable target like a bank server or database of customer billing data. These sacrificial systems can be used to learn how cybercriminals operate and identify vulnerabilities that must be addressed to protect real networks. There are many types of honeypots, categorized by their level of interaction or the kind of attacks they’re designed to detect. Low-interaction honeypots, for example, collect primary attack data but don’t engage attackers for lengthy periods or generate in-depth information about the threat. They’re suitable for identifying and learning more about simple threats such as bots and malware but shouldn’t be used to replace more sophisticated cybersecurity protections. High-interaction honeypots are designed to look like a natural computer system with the applications and data that criminals seek. They may include deliberate security weaknesses such as weak passwords to make the decoy system more attractive to hackers. Once attackers are inside the system, they can be tracked and monitored to assess their progress and the methods they use to infiltrate a live network.
In military use, decoys fool enemy forces into believing they are much stronger than they are. They can include flares for IR-guided missiles, chaff for ICBMs, and sonar and digital decoys to confuse radar systems.
For cybercriminals attacking a corporate network, dropping a backdoor and moving laterally within the system is just as effective. Once they reach an asset with value, the attacker will deploy additional malware and attempt to exfiltrate data. Detecting the attacker at any point in this kill chain requires a defense-in-depth strategy. To an attacker, decoys deployed on the network or at an endpoint appear as natural systems, files, and applications. This makes detecting an interaction with a decoy difficult, requiring attackers to invest more resources than they would if the system were natural. Deception technologies are also attack-vector agnostic and don’t depend on signatures or vulnerable machine-learning algorithms that tend to generate a flood of false positives. This makes them highly effective against attacks that have plagued enterprises for years. Whether they are seeking to steal valuable data or take over the network to extort ransomware, cybercriminals need to be detected. While most security tools rely on signatures and susceptible machine learning, deception can provide high-quality alerts and trace the proverbial needle in the haystack with detailed indicators of compromise.
To fool a person in a face-to-face scenario, attackers must overcome that person’s “spidey sense.” Digital communication channels like email make it much easier for adversaries to rely on various social engineering tactics, such as posing as an authority figure or claiming to have time-sensitive opportunities. Social engineering is often successful because it plays on people’s trust, respect, and fear for or against authority figures. This includes government agencies, well-known personalities, and other entities commonly recognized in the media. The fact that the attacker is impersonating a trusted entity can create an immediate sense of urgency and cause a person to bypass their critical thinking processes. Once an attacker successfully infiltrates the target environment, they look for traps or lures that mimic technology assets. Any attempt to ping, open, view, or interact with these decoys triggers an alert broadcast to a centralized engagement server. This intelligence is gathered, analyzed, and reported to the security team automatically and without the attacker knowing it. This approach has a much lower false-positive rate than other threat detection tools that rely on signatures and susceptible machine learning algorithms. This helps to reduce attack dwell time while enabling security teams to detect threats far more reliably. The generated forensically rich alerts also provide valuable insights into an attacker’s techniques, tools, and intent.
Deception technology is a security solution that deploys realistic decoy assets (domains, directories, servers, apps, files, credentials, and breadcrumbs) in a network alongside real ones to lure attackers. When a lousy actor interacts with a decoy, it triggers an alert that provides detailed indicators of compromise. This helps security teams quickly and reliably identify threats – even those evading traditional detection controls or bypassing defense-in-depth systems. This allows IT to stop attacks in their tracks, decrease dwell time, and speed up incident response. Deception is a broad and flexible solution that can detect all aspects of the attack kill chain, including pre-attack reconnaissance, exploitation, privilege escalation, and lateral movement. It provides low false positives, reducing the risk of alert fatigue and providing context around an attacker’s intent. Deception also covers the entire attack surface – including Internet of Things devices not typically scanned by legacy security tools. The most significant benefit of deception technology is that it puts the burden of success on the attacker. Once the defender populates the network with decoys, attackers must perform a flawless attack without interacting with any fake assets, misdirections, or traps to succeed. A single mistake means they have to go back to the drawing board. This is a significant change in the power dynamics between attackers and defenders.