What is Deception Technology?
It is a cybersecurity defense practice that aims to deceive attackers by distributing a collection of 'traps' and 'decoys' across a company's IT infrastructure to imitate genuine assets.
The advent of Deception Technology can be attributed to the stark realization of the fact that your network-perimeter would eventually be breached, sooner than later. If it is to happen with a very high probability, then why not to misguide the intruders?
From this perspective, modern Deception technology is a powerful strategy to attract cyber-criminals AWAY from your enterprise's true assets, and divert them to a 'decoy' or 'trap.' The decoy can effectively mimic your legitimate servers, applications, and even data, so that the criminals are tricked into believing that they have infiltrated and gained access to your enterprise's most important assets when in reality they have not.
If an intruder triggers any decoy or trap as laid out by you, then your server will log this event and you can monitor the attack-vectors utilized by threat-actors, throughout the duration of their engagement with your decoy or trap.
This is a good strategy if you intend to minimize damage and protect your company's true assets.Honeypots Vs Deception Technology
-
Honeypots Vs Deception Technology
A honeypot in a classic sense, is usually a single asset, such as a large database of fake usernames (or customers), passwords, and other credentials. The basic idea behind honeypots was that -- if an intruder has managed to breach your network after gaining 'unauthorized' access somehow, then you would want him to follow a trail of breadcrumbs, which would lead him to the honeypot. Once the attacker accessed the honeypot as set up by you, your Security Team would be alerted immediately and then you would render your honeypot inactive.
The original approach of deception had started a long-time back, in the form of 'Sandboxing.' Then came your 'Honeypots,' but unfortunately honeypots are no longer very effective in terms of their ability to distract attackers, thus in protecting your company's true assets.
My contention is that honeypots are the precursor to new generation of 'multi-faceted' and advanced Deception Technology.
Given the scale and complexity of modern cyber-attacks, honeypots (which are usually a single security product by themselves) may not be enough to attract and engage a determined sophisticated attacker. Contrarily, an attacker can very soon find out that he is chasing the trail to honeypot, and quickly change his tracks to find out real assets of your company.
Honeypots are no longer up to date to answer the most urgent questions: who is why, in my network, where does he come from, where does he want to go, and above all, how long has he been here? This is where Deception technology comes into play.
That's why modern 'Deception Technology' is FAR MORE EFFECTIVE in protecting your company's true assets. This set of technologies not only diverts an attacker's attention to false assets, it can also study the attacker's strategies, tactics (TTPs), and behaviors. It is crucial, as it would allow you to strengthen your enterprise's defenses for next time. Deception Technology also provide you enough data to help your IT security become stronger, something which was not available in case of old 'honeypots.'
-
Why is Deception Technology so important?
1.
Deception Technology reduces the average time an attacker would spend in your network. It happens when either you had discovered the attack as it was happening and you would stop the attacker on his track, before he succeeded in reaching to any asset of true importance. Or It happens as the attacker had realize that he/she is being misled to false assets by you. The attacker may leave quickly as a result of it.
As such, deception technology decreases the attacker's dwell time on the network.
2.
You would be aware the average time of detecting a breach is in 100s of days, in general. But the appropriate deployment of Deception Technology, can drastically reduce your Average Time to detect and remediate threats your company is facing.
You will be able to consider any cyber-attack on your 'decoy' assets as a special "Mission." It would allow you to concentrate your efforts on studying the behavior and movement of attacker. You would have the ability to observe and study the real-world tools used by cyber criminals.
You would move very quickly, every time you detect that any unauthorized access has been made or some unusual behaviors have been observed on the decoy assets.
3.
If you have gather enough experience in information security domain, then you already know that security teams everywhere face a sever 'Alert Fatigue.' Everyone is plagued with thousands of 'False' security alerts on daily basis. Deception technology reduces the incidences of false positives. The technology is known for issuing reliable alerts because any engagement with deceptive technology is by definition "unauthorized."
However, the alerts raised by your Deception Technology are genuine alerts. These are true alerts that are raised only when attacker(s) have breached your network-perimeter and they are about to interact with your decoy assets.
Upon attacker interaction with a deceptive asset, your security team will receive a high fidelity, engagement-based alert with 'intelligence' gathered about the attack. By gaining insight into the attacker’s tools, methods and intent, you will have the necessary knowledge to shut down the attack, strengthen overall defense strategies and level the playing field with your opponent.
Additional alerts from this technology will help you understand malicious behavior and then track the activities of the attacker.
4.
If you Deception Technology is really convincing (including the server, and associated applications and data), then you always want the attacker to engage with it LONGER than you would ever want. Why?
Because the longer the mock attack goes on, the more data you can pull out from the attack. You should know that studying the entry-point and subsequent behaviors of cyber-attackers, holds valuable information for your IT security analysts. They can analyze attacker activity and glean key data that can be used by you to reinforce your network and better protect your enterprise from future attacks.
5.
You can scale and automate the Deception Technology at Will. Scaling it requires relatively less cost and effort. You can use and re-use your decoy server, and it is easy to generate fake data, such as non-existent account numbers and passwords. Any automation tools used for other components of the cybersecurity suite can also be used for deception technology.
6.
Deception Technology integrates well with your existing hardware and software. It can be used with both legacy systems and newer Internet-of-Things (IoT) installations at your company.
-
How Can You Obtain Deception Technology?
Deception technology is currently available as:
-
A full deception fabric or platform,
-
Features within a broader platform,
-
Independent solutions.
Advanced deception platforms use machine learning for fast and accurate deployment and operations without disrupting other network functions.
Some good Deception Technologies are offered by security vendors, including:
-
ThreatDefend, by Attivo
-
InsightIDR, by Rapid7
-
FortiDeceptor, by Fortinet
Other Key vendors are GraudiCore, Cymmetria, TrapX Security, Cybertrap, Illusive Networks, Acalvio Technologies, Allure Security Technology, ForeScout, Hexis Cyber Solutions, LogRhythm, Percipient Networks, Sandvine, Shape Security, Smokescreen Technologies, TopSpin Security, vArmour Solutions, etc
-
How To Go about implementing Deception Technology?
-
The most important aspect you should consider about Deception Technology, is that it needs to be sophisticated enough to be convincing. It means that — it must create an environment that is 'indistinguishable' from your organization's true IT environment.
-
Next key consideration is that how dynamically your Deception Technology can respond to a given cyber-attack. Because no cyber-attack is casted in stone. Attackers may use multiple approaches and modus operandi at the same time. This is something where ML and AI can help you a great deal, by adjusting the environment of Deception Technology dynamically, as the assault on your decoy assets occurs. These changes may happen in your in network automation, network access control, or user and entity behavior analytics (UEBA) programs. ML and AI can create these dynamic deception environments that free your IT teams from constantly creating specialized, standalone deception campaigns.
-
Next, your Deception Technology can be layered with additional tools that help your IT security teams identify cyber criminals. For example, a database of fake credentials can have tracking information embedded in the files. Opening a file can trigger an alert to the organization or to law enforcement officials. Also, sink-hole servers can be used for traffic redirection, tricking bots and malware into reporting to law enforcement rather than to their owner, the cyber-attacker.
-
The most advanced deception platforms will also provide you concealment technology, which HIDES and denies access to your data. Instead of interweaving deceptive assets among actual production assets, the technology can hide real assets completely from an attacker's view. It can also return fake data to the attacker to disrupt and derail further attacks. Coverage includes AD objects, credentials, files, folders and removable drives, as well as network and cloud shares.
-
Once installed, deception technology scans your network, takes an inventory of assets, and then recommends different types of deception decoys/lures that emulate servers, files, network segments, or valuable services (think Active Directory, for example). Suddenly, a network with around 1,000 nodes will look like it has 10,000+ nodes, making network reconnaissance and lateral movement much more difficult for cyber-attackers.
-
In addition to obfuscating the attack surface and making it challenging for attackers to look around undetected, Deception technology will also redirect the attacker to an engagement server that will gather intelligence about the attacker’s tools, methods and behaviors. Third-party integrations can be used to automate appropriate response actions, including isolation, blocking, and threat hunting.
All in all, Deception Technology offers you a great additional layer to your security posture and complements your defense-in-depth layers of security.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM