/Rectangle%20239.png?width=13&height=13&name=Rectangle%20239.png){kind=small}
Imagine a mouse-trap, where a tiny piece of cheese is carefully placed to lure the “enemy” in, distract him, and prevent him from ever reaching the real food. Did you know that same principle can be applied to cybersecurity? In this scenario, the mouse is a cyberattacker and the cheese could be a file containing fake sensitive information. That is what we call deception technology.
Used as a strategy to deviate cyber criminals from an organisation’s true assets, deception technology is, at its core, an incident detection and response approach. Our Cybersecurity Engineer Raphaël Cossec elaborates: “Deception technology is not about preventing the attacker from getting inside the organisation’s network. He/she is already inside. We use a lure, which can be a false file with, for example, a user’s login information, to draw the attacker in and detect if that login is ever attempted. We can then gather relevant information like Indicators of Compromise (IOCs), how he/she behaves, what type of attacks are deployed, so we can identify every device where that behaviour occurs”, he explains.
Those lures, or baits, can also take the form of servers, databases, or even apps. What matters is that the attacker wastes time on non-relevant assets, believes to have breached the organisation’s system and to be executing damaging cyberattacks, when in fact there’s no impact on the company’s infrastructure or operations.
Why is deception technology important?
“The logic behind this technique is that no company is perfectly protected. The goal is to provide in-depth security and to get a hold of a cyberattacker a lot faster”, Raphaël states. Nevertheless, it does not stand on its own – it should be complementary to more proactive and preventive security services.
The main benefits of implementing deception technology are:
- Early threat detection
Attackers that might otherwise go unnoticed until some damage is done can be detected much faster with deception technology, before they get a chance to harm the organisation. - Greater threat intelligence
This is an effective way to gain intelligence on specific cyberattacks and attackers, which can be later used against them and be transformed into lessons for the future. - Minimised false positives
Since deception technology is highly targeted, and only cyberattackers have reasons to interact with decoys, security teams have much less false positives to worry about. With more traditional detection methods, security experts end up losing much more time analysing false alerts. - Improved incident response
While attackers are interacting with bait files, incident response teams use that precious time to prepare, gather insights, and respond more effectively to those threats. - Psychological advantage
When attackers are aware that an organisation uses deception technology, they might choose not to target it, because of the risk of exposure and wasted resources.
Which cyber threats can be detected?
“Depending on how mature and well configured the technology is, it can detect something very simple to very complex and go from detecting a single less experienced attacker to a more skilful one, or even an organised group”, Raphaël assures.
Among some of the most prevalent cyber threats affecting businesses these days, which deception technology may detect, are:
- Credentials’ theft
Deception technology can easily catch attackers red-handed trying to steal or misuse active users’ credentials. - Lateral movement
Attackers who successfully get inside an organisation’s system often try to move laterally, spread their attack across the network and damage other critical assets. With deception technology, they often stumble into traps and are detected early in the process. - Malware/Ransomware deployment
Malicious software deployed by an attacker will try to spread to other devices in the organisation. It is drawn to the deceptive environment, which will then trigger a warning to the security team.
What types of deception technology exist?
The most popular type is honeypots which, Raphaël explains, “at some point was a synonym for deception technology, because it was the only existing technique”. Honeypots are, more or less, what we have been describing so far: decoy systems, servers or devices designed to mimic real assets and attract attackers, enabling early detection and analysis of malicious activity.
They are much more complex these days than they were before, since they’re not only single static assets waiting to be interacted with, but entire fake environments capable of interacting with each other.
“And now”, our Cybersecurity Engineer expands, “there are more deception solutions out there, which are, in fact, descended from the ‘umbrella’ term ‘honeypots’”. These are just a few worth mentioning:
- Honey users
Fake user accounts, usually created within the organisation’s Active Directory (and refined with a catchy name/description), that can lure attackers trying to apply a password-guessing technique. These accounts are never used for any purpose other than this, nor associated with real users. - Honey credentials
Fake login usernames and passwords strategically placed where attackers are likely to search (e.g.: e-mails; shared drives). If those credentials are ever used for authentication, security teams are notified. - Honeynets
A network of interconnected honeypots, used by security teams to investigate how cyberattackers work on a larger scale. Since they can simulate entire network segments, they can be especially useful for detecting lateral movements. - Compound honey traps
There can also be compound possibilities that include fake computers planted in the environment, promoting a high level of interaction (fake Windows, Linux, or other); crumbs like files to lure the attacker in (e.g.: fake credentials inside a ‘txt’ file, fake Remote Desktop Protocol (RDP) files, or others); a fake network connecting it all; and a console to centralise all the information.
Deception technology for small businesses vs. large businesses
Even though it is most advisable for mature companies, organisations of all sizes can invest in deception technology. However, the way it is implemented may vary, according to Raphaël Cossec: “In small organisations it’s easier to implement by hand a fake account or a bunch of fake files. It is also much less expensive. For large organisations there are different possibilities and tools, depending on what they want to address. Let’s imagine an organisation that wants to protect servers or endpoints: then a product like Acalvio is a good solution”, he exemplifies.
At the moment, since this is a very targeted and technically-demanding technology, it’s not feasible to get a 360º coverage of all assets. So, if your company is looking to protect more than one scope, the key is to go for a mix of solutions, depending on the size of the organisation. “Usually, the best strategy is to choose the most important part of the enterprise to protect and to leverage deception technology for that specific purpose”, Raphaël advises.
What are the risks and challenges?
The biggest one has to do with company maturity. “The organisation needs to be clear on what they want to protect, and how they want to protect it, because there is no guarantee of 100% coverage of every asset. Let’s say you have 100.000 assets: they all need to be connected to the same decoy, so the configuration is going to take a long time, and every solution needs to be somewhat hand-tailored. So, it’s very important that organisations are assertive and aligned with the possibilities of this technology right from the start”, our engineer stresses. On average, and for reference only, a handmade solution can take 1-2 years to be implemented, while an already existing solution can take 4-5 months.
There are also ethical and moral aspects to consider. A recent study on ethical concerns related to cyber deception emphasises that “while it is generally accepted that organisations have the right to defend themselves against cyberattacks, the use of deception techniques such as honeypots may be seen as unfair or unethical. It can be argued that it manipulates the attacker into taking an action they may not have taken otherwise”.
Our expert agrees but points out that “deception technology is a fairly new topic, so it is natural that no strict guidelines are defined yet”. But then again: having more agreed-upon ethical principles, as well as established rules and regulations, is a broader challenge for the cyberspace as a whole.
