Deception Technology: What is it?

Deception technology, otherwise known as Cyber Deception, is one of the latest techniques in cybersecurity that tries to trick, or as the name suggests deceive, an adversary during a cyber-attack.

Taking a holistic approach to cybersecurity needs, deception technology is just one of many assets that should be used in tandem in the fight against cyber-crime. While other defense technologies, such as firewalls, can generate a significant number of alerts including false positives, deception technology is known for issuing reliable alerts. Because any interaction with deceptive technology is considered unauthorized, the amount of these alerts is low but the accuracy of the alert is high which helps reduce alert fatigue.

Deception technology works by tricking an attacker to go after decoy resources or traps within a system. Using consistent naming and being on brand is important to creating realistic decoys that are attractive to a hacker to fool them into thinking they have penetrated the system.

 

Why is deception technology important?

A key element with deception technology is a notification system that is configured to record the attacker’s movements once they have been detected. This can provide valuable insights into what information the hacker is after and their methodologies of attack.

Interacting with a decoy will also alert IT which should treat these high probability alerts as an ongoing attack. Early intervention, along with the data provided on the attacker’s movements, methods, and tools, can give security the information needed to shut the attack down quickly.

Having decoys and traps set throughout the network gives the hacker a limited view of the actual infrastructure. They can also reduce the attacker’s dwell time on the network by allowing IT to step in and shut the attack down or by realizing they have triggered decoy assets which could end their attack early or discourage them in trying again.

One of the most important features of deception technology is to be able to learn from it after an attack has occurred. Because any ping, view, or other action with a decoy is “unauthorized” and triggers the alert and record feature IT teams can use the recorded information to update security based on hacker actions. This information can also be used for training and simulations that security teams can study to better defend the network from future attacks.

Another benefit of deception technology is the detection of lateral movement throughout a network and privilege escalations. By detecting anomalous behavior and initiating alert and record automation, companies can arm themselves with tools to try to prevent a breach like the 2020 SolarWinds cyberattack that left as many as 18,000 customers vulnerable to hackers. US agencies — including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury — were attacked. So were private companies, like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University, the Wall Street Journal reported.

 

Isn’t deception technology just another term for a honeypot?

A honeypot and deception technology are sometimes used synonymously and can be used together, however they are not the same thing. As defined by Fortinet,

“A classic honeypot is a single asset, such as a large database of fake usernames, passwords, and other credentials. The idea behind honeypots is to have the intruder, after gaining unauthorized access to the network, follow a trail of breadcrumbs from the point of entry to the honeypot. Once the attacker accesses the honeypot, IT is alerted, and the honeypot is rendered inactive.”

While you can certainly use lures and breadcrumbs in today’s deception technology, this does increase the likelihood of false alerts by users unknowingly following the lures and breadcrumbs when searching for legitimate purposes. IT personnel should be the only people who know which assets are decoys in the network, so that they can protect against internal, as well as external, threats.

 

Deception Technology

Figure 1: How Deception Technology Works (Source: ForeSite)

 

A honeypot in today’s cyber environment is one aspect of deception technology as opposed to a standalone service. Honeypots were designed to lure attackers at the network edge so that they would go after the honeypot instead of other assets. When the span of networks and the amount of entry points into a network were smaller, the likelihood of an attacker finding a honeypot and being deceived by it was pretty good. Through technological advances, including expanding networks through public clouds, networks have an increased amount of attack surface. Coupled with the fact that cybercrime advances as quickly (if not even more quickly) than cyber security, most advanced hackers today wouldn’t be fooled by a honeypot. However, by utilizing honeypots along with decoys and traps, the chances of exposing an attacker by engaging with one of these “fake assets” is highly probable.

 

Why your organization should consider utilizing deception technology

Here are four reasons why your organization should consider using deception technology:

  1. With a lower occurrence of false positive alerts and early breach detection, deception technology allows IT teams to engage hackers quickly. Some of the attacks that deception technology can detect are account hijacking, lateral movement attacks, and Internet-of-Things (IoT) attacks.
  2. When an attacker interacts with a decoy their actions are being recorded and monitored. This gives the upper hand to your security team the ability to learn from the attack and improve their security efforts.
  3. AI/ML allow deception technology to detect attackers early and each movement choice within the network will inform their path from entry to the asset they are trying to get to. It also allows for dynamic adjustment of the environment based on those actions.
  4. Scaling deception technology is relatively easy and less expensive than other security technology. Decoys can be used repeatedly, and it is easy to generate fake data like login credentials or account numbers. You can also utilize the automation features of other security components for deception technology.

 

Conclusion

With Gartner predicting that, “Through 2025, 30% of critical infrastructure organizations will experience a security breach that will result in the halting of an operations- or mission-critical cyber-physical system” having a robust security system that includes deception technology in place you can hopefully help your company avoid being another statistic.

 

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING