Deception technology, commonly referred to as cyber deception, is a category of security tools and techniques designed to detect and divert an attacker’s lateral movement once they are inside the network. Deception technology enables defenders to identify a wide variety of attack methods without relying on known signatures or pattern matching.
The technology is known for issuing reliable alerts because any engagement with deceptive technology is by definition "unauthorized." In addition to obfuscating the attack surface and making it challenging for attackers to look around undetected, deception technology will also redirect the attacker to an engagement server that will gather intelligence about the attacker’s tools, methods and behaviors. Third-party integrations can be used to automate appropriate response actions, including isolation, blocking, and threat hunting.
Gartner predicts that by 2022, 25% of all threat detection and response projects will include deception features and functionality.
Growth of the Deception Technology market
Increased adoption of deception technology has stemmed from the need for scalable threat detection across a wide variety of attack surfaces, including:
- Active Directory (AD)
- software applications,
- virtual private clouds
- Internet of Things (IoT)
- PoS systems
Breaches such as the Solar Winds incident, have also brought to light the magnitude of the need for detecting lateral movement and privilege escalations.
Standards organizations are also embracing deception, with the National Institute of Standards and Technology (NIST) adding the technology to several recent guidelines. Similarly, the MITRE ATT&CK framework helps organizations understand how deception fits in their security stack to derail attack techniques and tactics – specifically around discovery, lateral movement, privilege escalation and collection.
How Deception Works
Once thought to be only for large organizations with mature security teams, deception platforms have evolved into a practical and effective solution for companies of all sizes.
Companies seek out cyber deception for comprehensive attack surface protection, early detection, and a better understanding of their adversaries. Deception platforms meet these needs through their deployment scalability, ease of use for operators and an ability to work seamlessly with security solutions already in place.
Unlike security information and event management (SIEM) solutions that use event logs to report what happened, deception proactively reports on what could happen. Deception is based on detecting techniques vs. a reliance on signatures or pattern matching, which also leads to its efficacy.
Deception technology will alert on early discovery, reconnaissance and privilege escalation activities. Defenders can set lures and decoys, hide production assets and misdirect attackers with disinformation that will derail their attack. The decoys mimic genuine IT assets throughout the network and run either a real or emulated operating system (OS). The decoys provide services designed to trick the attacker into thinking they have found a vulnerable system. The technology can also reduce the attack surface by finding and remediating exposed credentials that create attack paths.
Upon attacker interaction with a deceptive asset, the security team will receive a high fidelity, engagement-based alert with intelligence gathered about the attack. By gaining insight into the attacker’s tools, methods and intent, the defender will have the necessary knowledge to shut down the attack, strengthen overall defense strategies and level the playing field with their opponent.
The attacker will also get an unclear picture of the attack surface, which will slow them down, force them to make mistakes, expend additional resources and negatively impact the economics of their attack.
For companies conducting security assessments, deception technology plays an important role in detecting the attacker early and recording the attack activity. These capabilities make deception technology one of the most effective methods to deal with ransomware. It is particularly adept at detecting intruders attempting to move laterally within the network -- even if intruders use authentic credentials.
Deception technology is available as a full deception fabric or platform, as features within a broader platform and as independent solutions. Advanced deception platforms use machine learning for fast and accurate deployment and operations without disrupting other network functions. Native platform integrations with existing security infrastructure can provide seamless attack information sharing and facilitate automation. Benefits include automated blocking, isolation, threat hunting, repeatable playbooks that accelerate incident response and integration with SOAR solutions.
The most advanced deception platforms will also provide concealment technology, which hides and denies access to data. Instead of interweaving deceptive assets among production assets, the technology can hide real assets from an attacker's view. It can also return fake data to the attacker to disrupt and derail further attacks. Coverage includes AD objects, credentials, files, folders and removable drives, as well as network and cloud shares. This function serves as a powerful ransomware deterrent because attackers can’t find and takeover domain control or encrypt or steal data on drives they can’t access.
Cyber deception complements existing security controls by detecting discovery, lateral movement, privilege escalation and collection activities that other tools are not designed to address. The technology is highly scalable, which allows it to protect an ever-evolving attack surface.
Many of the attack activities that deception provides visibility to are traditionally challenging to detect. These include lateral movement, credential theft and reuse, internal threat reconnaissance, man-in-the-middle (MiTM) activities, and attacks on directory services such as Lightweight Directory Access Protocol (LDAP) or AD.
The ability to deceive, direct, and guide the adversary away from critical assets denies them their goals and reveals how they want to move through the networks. It also holds the benefit of increasing the attacker’s cost, because they must now decipher what is real from what is fake and forces them to restart their attacks.