secure tablet

How Deception Technology Can Help You Detect Threats Early

Deploying automated decoys can help protect your network and reduce IT costs.

Deception is a frequently used tactic in both defensive and offensive strategies, from chess to duck hunting, and a tool that many security professionals have been using for years. Initially, when deception was used in network defense, it involved a human carefully interacting with an infiltrator to make them believe that they had achieved access to restricted data and to keep them occupied until the threat could be contained. Today, however, technological advancements have eliminated the need for direct human interaction and have increased the believability of decoys.

What Is Deception Technology?

Deception technology is the integration of deception tactics into security tools and automation, meant to attract intruders away from real assets and trap or detain them in areas modeled after real storage or network areas. By misdirecting the attacker early in the infiltration process, the technology can minimize the damage caused and gain an opportunity to learn from the attacker's methods and behavior while they are distracted.

The simplest form of deception technology is the classic honeypot: a planted store of data whose contents are designed to be appealing to attackers, such as decoy password lists, false databases, fake access to other regions and more. When an intruder enters a network, they are led by a trail of breadcrumbs straight to the honeypot, which is triggered to alert security and distract the intruder by feeding them engineered information.

In the past, these were handcrafted and manually deployed and monitored. Now, however, the technology has advanced to the point that monitoring can be fully automated and decoys can be generated based on scans of true network areas and data.

Currently, decoys are often deployed as mock networks running on the same infrastructure as the real networks. When an intruder attempts to enter the real network, they are directed to the false network and security is immediately notified. The decoys are never accessed by legitimate users so there are almost no false positives with these techniques and intruders become visible much more quickly than if security had to wait for behavior or malware detection based alerts to be notified.

Deception technology is relatively simple to create in-house but difficult to make convincing, so many adopters prefer to use a third-party solution, such as Attivo, Minerva Labs, Cynet or a big name like Symantec, to ensure that their decoys are as realistic as possible.

Several tactics are used in deception technology:

  • Honeypots: research versions are placed “in the wild” to gather information on attacker strategies and motivations, production versions are placed to slow down attackers
  • Honey users: users with implied privileged access planted in the hopes that intruders will attempt to use their log-in which is flagged to alert security upon use
  • Honey credentials: credentials with supposed access rights to larger network; alerts are sent to security if intruders attempt to use the credentials, allowing them to track criminal movement
  • Geo-tracking: files planted with tracking information that is activated upon transfer or opening, sending IP and location data back to security teams
  • Sink-Hole servers: servers that use traffic redirection to trick bots or malware into reporting back to law enforcement or "white hat" researchers instead of criminals

Benefits of Deception Technology

Deception technology tools provide significant benefits when it comes to early detection of intruders, which is key to minimizing the amount of damage a criminal can do. By isolating attackers in areas where there is minimal risk of damage, this technology grants security professionals the opportunity to not only test their currently used mechanisms, but to learn about the real-world behavior, motivations and tools that criminals use to damage organizations. Such information is vital to building stronger security policies and solutions.

Apart from intellectual and risk mitigation benefits, deception technology can be used to alleviate bottlenecks in security processes. A significant reduction in false positives means that time is not wasted verifying the legitimacy of alerts. The ability to automate deceptive technologies further reduces the amount of time dedicated to non-critical tasks.

Decoys are typically completely hidden from end-users, meaning they have no impact on productivity. This has the added benefit of making them effective against human attackers and intrusion tools regardless of whether they originate externally, internally or from third-party services.

Unlike other methods of intruder detection, deception technology produces high fidelity alerts, reducing the amount of time spent filtering through alert information to find what threats require action. This technology doesn’t rely on detection based on known signatures or behaviors, so all intrusions are immediately detected and flagged, regardless of what methods an attacker uses.

Once an intrusion is detected, attackers can be easily contained and monitored with minimal to no risk to the actual network. Other security strategies operate by ejecting intruders upon discovery to minimize damages, but this doesn’t give security researchers the chance to learn from an attacker’s behavior and denies them the opportunity to apply forensic information to improving production security systems.

Integration with automation also helps reduce IT budget costs and helps stretch security team productivity. Automation tools can discover new networks and assets, and auto-generate and deploy decoys. This ability to adapt deception layers to changing environments reduces the manual work of security and helps maximize system protection.

Deception technology is more easily deployed with devices that do not allow for the installation of traditional security agents due to lack of memory, firmware or compatibility issues. This makes it especially suitable for Internet of Things (IoT) devices, legacy systems or industry-specific devices.

Why Should You Add Decoys to Your Network?

Deception is a time-honored strategy that continues to prove effective. Although many security budgets and professionals are focused on active defense when it comes to protecting a network, the passive defense offered by deception technology can sometimes provide greater benefit to an enterprise.

Adding decoys to your network can give you the upper hand in terms of detection speed and grant valuable information needed for security innovation—both of which are vital to protecting your systems from increasingly aggressive cyber criminals.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3