Deception

Cyber security deception is a defense practice that aims to deceive attackers by distributing a collection of traps and decoys across system’s infrastructure to imitate genuine assets.

Aim of deception is to prevent a cyber criminal that has managed to infiltrate a network from doing significant damage.

Deception technology is a simple but effective approach to build security defenses that detect threats early with minimal performance impact on the network.

Decoys are realistic but fake assets (domains, databases, servers, apps ,files, credentials etc)

Decoys are deployed along legitimate assets. If an attacker breached the network, there is no way to differentiate the fake from real. The moment attacker interacts with a decoy, a silent alarm is raised and systems collect information on the attacker’s actions and intent.

Advantages of Deception Technology

The advantages of deception technology are:

1. Improved Threat Detection

‘periscope events’ — a behavior that, when detected, clearly indicates that an attacker is in the network. Deception’s periscope events highly accurate, but with broad threat coverage.

2. Business Risk Awareness

Deception is aligned with the current business threat perception. For example, a company can create deception around that product launch, aligning security controls tightly to areas where the organization perceives risk.

3. Greater Coverage

Deception can be applied across the enterprise, including environments that are often neglected blind spots.

Deception can detect threats at the perimeter, the endpoint, the network, Active Directory, and application layers, as well as offer coverage to more neglected environments such as IoT, and cloud.

Deception also covers the entire kill-chain; from pre-attack reconnaissance to exploitation, privilege escalation, lateral movement, and data-theft / destruction.

4. Extremely Low False Positives

False positives cripple security team productivity. Deception has an intrinsic low false-positive property.

Most behavior-based systems try to establish a normal baseline and then classify any activity above the baseline as anomalous; this leads to a number of false positives. Deception establishes a zero-activity normal baseline, where any activity at all is worthy of investigation.

5. Orchestrated Response

Orchestrated / automated response is most useful only when the trigger event is 100% certain. Plenty of orchestration tooling is being built, not many real-world transformational orchestration use cases exist because there are very few alerts that are 100% certain.

In terms of containment / response use cases, deception alerts can integrate with:

• Network Access Control to Quarantine a compromised asset 
• Web gateways to disable the compromised asset’s Internet access, block phishing sites identified by email decoys.
• Endpoint protection to kill a suspicious process or quarantine the endpoint 
• Directory Services / Identity and Access Management to disable the user’s account, change a password, and enable/enforce two-factor authentication
• Firewalls  to dynamically deny access to network segments

Deception technology provides security teams with a number of tactics and resulting benefits to help:

• Decrease attacker dwell time on their network
• Expedite the average time to detect and remediate threats
• Reduce alert fatigue 
• Produce metrics surrounding indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).