Understanding Deception Technology – How It Works and Why It Matters

Deception technology reduces alert noise and improves key security metrics like mean time to detection and response. It offers a pragmatic alternative to signature and behavior-based detection by detecting an attack without compromising accurate data.

It provides a parallel virtual environment with fake assets, credentials, and information that shouldn’t exist. When attackers interact with these traps, they trigger high-confidence alerts, and the attack can be stopped.

What is Deception?

The deception industry is about baiting attackers with irresistible traps to give defenders a much-needed advantage in the cybersecurity war. This approach is very different than traditional anomaly detection systems, which are based on probabilistic analysis of huge data stores that throw off massive numbers of false positives and require a security team to spend time tweaking analytical models to get any value out of them.

By creating fake infrastructure and data sets that look like legitimate business assets, deception techniques enable attackers to interact with those traps without triggering detection controls or alerting security teams. As they interact with decoys, their actions are recorded by the system and sent back to a centralized deception server, where it is instantly evaluated and converted into relevant, high-fidelity alerts.

This intelligence is then injected into existing security technologies to enhance their capability. This includes reducing the Mean Time To Detection (MTTD) by significantly limiting dwell time as well as delivering targeted counterintelligence incorporating company names to identify reconnaissance or phishing lures with specific bank BINs and insurance policy numbers that can reliably pinpoint spear-phished targets. This enables mid-market and small businesses to leverage deception without investing in a complex, costly solution that requires significant security staff to deploy and manage across the enterprise and countless external and IoT devices.

How Does Deception Work?

Like a worm dangling on a fish hook or the notes of a siren song luring sailors to their deaths, deception technology entices attackers into interacting with irresistible traps that appear to be legitimate IT assets. Once an adversary interacts with a surprise, it triggers an alert that allows security analysts to track malicious behavior in real time and respond quickly.

In addition to significantly reducing false positives, deception enables more comprehensive detection and response across the entire kill chain. While most behavior-based systems flag any activity above a static baseline, deception deployments provide zero-activity regularly and give security teams detailed IOCs (indicators of compromise). As a result, threat hunters can study attacker behavior much more closely, and attack surfaces can be more accurately identified in minutes, not days or hours.

In addition, when an attacker interacts with a decoy asset and realizes it’s not real, they are forced to spend additional resources trying to find other valuable assets on the network or exfiltrate data. In a world where time is money, that’s a significant loss for bad actors and a win for defenders. As more CISOs move to deception-based solutions, the mid-market CISO has a few hurdles to overcome. Many of these solutions require specialized skills to analyze and use, which makes them expensive for smaller companies without a dedicated security team. However, deception-based security vendors offer analysis and protection as a service, so even SMBs can leverage the benefits of this innovative approach.

Why is Deception Important?

Imagine you’re a cybercriminal and need help getting past security measures to steal data. Your target is the computer system, and you’ve spent hours trying to hack into it but with no luck. Then, you see a screen message saying, “Welcome to the computer system. Please enter your username and password.”

That’s what cyber deception does – it tricks bad guys into focusing their attack on fake systems or information, buying enterprises time to respond and fix vulnerabilities. It’s a great way to prevent ransomware attacks and other cybersecurity threats.

With traditional anomaly detection and intrusion detection/prevention systems, a single mistake by an attacker can trigger a flood of false positive alerts and distract security teams from catching the real threat. Deception technology flips the odds in the fight against cyberattacks by placing the burden of success on attackers. Once your organization populates its networks with deception assets, adversaries must successfully carry out a flawless attack without triggering detection controls or misdirecting themselves.

By enticing attackers into interaction with fake IT assets, deception technology enables security teams to receive high-fidelity alerts around specific malicious behaviors that are hard to detect using event log analysis.

What Can Deception Detect?

When defenders are alerted to decoy systems and content, they can watch attackers fumbling around, trying to interact with them. This provides the CISO with relevant, specific, real-time threat intelligence to detect, respond, and ultimately stop attacks that may otherwise go undetected by other detection tools.

These decoys can be as simple as a credential lure or as sophisticated as a virtual honeypot, including fake network drives, file systems, registry entries, etc. They’re designed to mimic the data that attackers are targeting – such as PII, sensitive business files, and IPv6 communications.

Once an attacker interacts with the decoys, the trap is triggered, and the security team receives a highly contextual and accurate threat intelligence report, including the tools, techniques, and procedures (TTPs) employed by the attack, what the attacker is trying to accomplish, where they’re going in the network and more. As a result, this augmented detection capability can significantly shorten the mean time to know and reduce the overall Mean Time To Remediate (MTTR) for an incident response team.

Forward-leaning, big-security-team-type organizations have long used deception to optimize their threat detection and internal threat intelligence creation capabilities. And it is this segment of the market has led the way for show to be more broadly adopted. However, it’s also valuable for the mid-market CISO, juggling competing priorities and a limited budget while keeping up with the latest threats.