Deception Technology (DT) deflects the attention of threat actors from real assets to fake assets, thus protecting network, systems, and files. Read on to learn what deception technology is and how you can apply it for endpoint security.
Deception technology is comprised of a set of security tools and techniques designed to prevent threat actors from breaching the security parameter. This technology works by using decoys to deflect the attackers’ attention and delay or prevent them from reaching their target.
The decoys look like genuine digital assets and can be deployed in real or emulated systems. They decoys serve as bait, attracting and tricking the attackers into thinking they breached a real asset.
Deception technology complements cybersecurity solutions, such as security information and event management (SIEM) systems. Deception technology can integrate log data from the organization’s SIEM system, and provide you with threat alerts. Some advanced deception systems can communicate with the attacker’s command and control (C&C) to gather more information about the attacker’s methods and the tools he is using.
Deception technology can help you protect your assets from the following attacks:
- Credential theft—when an attacker tries to lift username and passwords from Online Analytics Processing (OLAP) directories.
- Lateral movement—when an attacker tries to access other parts of the network that were off-limits until then.
- Attacks on directory systems—can be user directories or file directories.
- Man-in-the-middle—an attacker intercepts and modifies communications between two parties without their knowledge.
During the early days of deception, deploying decoys required a lot of manual work. It wasn’t practical for large and distributed environments. Nowadays, deception technology is an integral part of endpoint protection solutions, threat detection, and incident response platforms.
Deception technology can help security teams detect and identify attackers as soon as a breach has occurred. This significantly reduces the time an attacker can lurk undetected in your network.
Deception technology offers a different way to deal with stealth attacks, deviating them from the target. The attacker has fewer opportunities to perform lateral movements, mapping the entire infrastructure and producing further damage.
Cybersecurity teams can easily overlook attacks as they become more sophisticated. For example, if an attacker entered a network by stealing user credentials, it can remain undetected. The rise in IoT devices means that practically any gadget can be connected. Here are two specific IoT devices that are especially vulnerable to attacks:
- Industry devices - such as sensors or real-time location devices for shipment tracking, including those used in manufacturing. Most manufacturing companies get the technical support Supervisory Control and Data Acquisition (SCADA) infrastructure through a third-party, increasing the risk of attacks. An effective solution for manufacturing networks requires being easy to install and maintain while avoiding affecting operations.
- General IoT devices - such as those used in healthcare or smart air conditioning and security systems. Attackers can steal Personal Identifiable Information (PII) data, or deploy ransomware in medical systems, thus risking the lives of thousands of people.
Attackers usually enter a network through the endpoints. While deception technology cannot stop an attacker to enter, it helps minimize the damage they cause. This makes deception technology a good supporting technology for an endpoint security platform.
One of the main risks an organization faces is that of an infiltrator navigating and conducting reconnaissance inside their network unnoticed. According to a report by Ponemon Institute, dwell time could last on average 191 days before getting detected.
Using deception technology produces a way to get the attackers to disclose their location. The security team deploys fake assets that mimic real assets. The decoys lure the attacker into thinking they are attacking the real thing. These fake assets trigger an alert when attacked, while at the same time giving up the attacker’s location.
Deception technology helps distract the attackers away from valuable assets. You can reduce an attacker's dwelling time by including the time for detection and remediation. Deception technology can help you Improve incident response by generating accurate and prioritized alerts, thus eliminating alert fatigue.
Some deception technology solutions provide deep forensic and adversary intelligence. You can use this type of intelligence to learn about the tactics, techniques, and procedures (TTPs) of attackers. You can also supplement security by deploying decoys around critical assets in the event of an attack.
Deception technology provides an alternative way to address the problem of an attacker dwelling in the network. While it does not prevent attacks from taking place, it buys time for security teams to respond. At the end of the day, deception technology effectively turns the tables on attackers shifting the power into the security system