Hacker attacks are often based on social engineering. Attackers send phishing emails, create fake websites and apps. Their goal is to force the victim to click a malicious link, open a virus file, or provide sensitive data. Simply put, cybercriminals try to deceive their victims. Deception technology adopts the same principle. It is intended to deceive the hackers. And it does it very successfully. Gartner analysts placed the deception approach on their radar of the most promising security technologies. Deception technology is easy to deploy, and it is effective in detecting and avoiding various threats aimed at organizations of all sizes. If you doubt whether your company needs to employ deception technology, here are seven reasons to try this defense practice.

0-day vulnerability protection

0-days are vulnerabilities discovered in the course of their exploitation. They are extremely dangerous as for some (sometimes awfully long) time they remain unknown to most means of protection. Deception is an effective technology for protecting against 0-days that acts as an additional layer of protection.

When an intruder penetrates a workplace or server using an unknown vulnerability, his task is to move through the network, gain access to all machines, and figure out where critical data and backups are stored. Deception consists of traps and decoys. Traps can imitate servers, equipment, workplaces within the network, and decoys can imitate data to access these traps. Deception technology helps to detect attackers as soon as they are trapped and continue to entangle them in a false infrastructure while analyzing attackers’ techniques and tools. This data can be collected and used as indicators of compromise to protect other network segments where a similar intrusion attempt may occur.

Since information about the source of the attack is also available, it is possible to block hackers both on the trap itself and on the machine which they used to penetrate the system.

Since attackers, exploiting 0-day vulnerabilities, often use completely legitimate tools, other security systems can miss the attack. For example, it could be a standard RDP connection to a remote server. From the point of view of antivirus or EDR, nothing illegal is happening. But if the connection to the trap did happen, it means that neither the antivirus nor EDR detected the malware or malicious activity.

Therefore, deception technology plays the role of an additional layer of protection within the organization’s network. From the point of view of such a dangerous problem as the exploitation of zero-day vulnerabilities, deception technology, in fact, can be the only solution to detect intruders.

Barrier against ransomware and data breaches

Cyber extortionists aim to gain access to the attacked infrastructure, steal or encrypt important data, and demand a ransom. Therefore, it is crucial to detect such intruders as early as possible when they conduct the first stages of the attack – conduct reconnaissance, study the infrastructure, and determine data storage locations. Deception could be effective in terms of early detection of intruders within the network if they were able to bypass other protections.

Besides, malicious insiders constitute one more source of threat. These are bribed, quitting, or offended employees. They can launch externally controlled malware inside the infrastructure using their legitimate access rights. Deception technology can play an essential role in countering such attacks. Traps located inside the network help to lure the attacker into a decoy infrastructure. Moreover, the traps are made in such a way that they are as similar as possible to real devices or servers, and the attacker cannot immediately understand where he is.

In addition, you can create various types of false data like disc images, etc., which the ransomware authors will try to copy and send to their servers. This data can contain specific signs which will help to track intruders. These signs can be helpful when investigating an incident. In this case, a particular seller can be associated with the incident, specific data, and specific trap.

IoT \ SCADA protection

You can use traps not only with common IT infrastructure objects, such as workplaces, servers, or office equipment, but also create copies and analogs of Internet of Things and\or SCADA objects. Traps can be designed to imitate controllers, sensors, control systems, cameras, etc. Separately, it is worth mentioning the importance of using deception technology with medical equipment where the earliest possible detection of any attack can save patients’ lives.

Investigation of information security incidents

Two main types of traps are commonly used, light and interactive. Light traps do not require significant resources to operate but fully support the network protocols of the equipment they imitate. Their purpose is to record an intrusion attempt. Such lightweight traps can be quickly and massively deployed in real infrastructure.

The second type is represented by interactive traps, which are full-fledged operating systems with different software installed. If a malicious program gains access to an interactive trap, the system collects detailed information about its behavior, including the penetration method used, running processes and their parameters, the nature of the data collected and loaded from outside, and tools used. All data is automatically copied for research to other security systems, such as sandboxes. So, complete information about penetration techniques and tactics is collected, as well as various indicators of compromise, such as hash sums of downloaded files, commands used, etc.

Machine learning and artificial intelligence

Machine learning allows you to save the information security team from unnecessary efforts when applying deception methods. It is used to generate traps so that they look realistic. At the same time, they are not complete copies of each other or actual hosts. Machine learning allows you to analyze accurate data on the network and generate false data for decoys, reducing the amount of work of security specialists.

Machine learning also helps shape the realistic behavior of each trap by analyzing network performance and simulating real traffic.

Easy integration with other systems and another step toward automation

The most popular option in terms of automation is when deception gives a signal to block the processes or workstation from which the attack is launched.

Besides, deception technology can automatically transfer the collected indicators of compromise to other security systems for them to decide whether to block other hosts when these indicators are detected. Deception naturally integrates with SIEM and SOAR systems. Deception can also integrate with various firewalls, including NGFW.

Opportunity to launch a pilot project

Deception tools, like many other security products, can be deployed in the customer’s infrastructure to demonstrate their applicability. However, it is worth noting that deception usually does not actively manifest itself but expects an attack and prepares to lure intruders. Therefore, during the pilot project, the vendor must demonstrate not only the deployment of deception elements inside the infrastructure but also launch a set of false attacks that can potentially be carried out both from the outside and inside the client’s infrastructure.

There is a specific set of demonstration stages that should be approved by the customer, within which the operation of the deception system is shown during false attacks. Sometimes interesting cases arise when a customer sees that other security systems already installed and used do not react to attacks in any way.

Conclusion

Deception is a relatively new technology. Most solutions of this class appeared on the market not so long ago; however, they are gradually gaining popularity. Deception technology does not replace standard, generally accepted information security systems. It complements protection systems, allowing you to detect attacks that have bypassed all other means.

Deception technology is very flexible. Thanks to its easy integration with other information security tools, it provides a wide range of attack detection capabilities. With deception technology, you can embed various mechanisms for inventorying network assets, responding to incidents, and more. The effectiveness of deception systems depends on how they are designed and configured. If everything is done correctly, the attacker will not guess he is facing a fake target. And even if he guesses, it will be too late.

Image credit: alphaspirit/depositphotos.com

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.