Deception technology can help a security team detect cyberattacks by detecting activity not detected by traditional defenses. In addition, it can be used to thwart insider threats.
There are several deception technologies, each with specific use cases and requirements. This post will give you an overview of various varieties, including honeypots, endpoint lures, and network decoys.
Honeypots
Honeypots are one of the types of deception technology that organizations often use to gather valuable cyber intelligence without jeopardizing their networks. They’re also helpful in diverting malicious traffic away from sensitive systems and identifying zero-day attacks before they occur.
Ideally, honeypots shouldn’t get any legitimate traffic – that way, the only activity they log is a probe or intrusion attempt. It makes it easier for security teams to spot a pattern indicative of an attack and act quickly to stop the threat.
Modernized deception technology can emulate servers, endpoints, network appliances, and IoT devices. These decoys can be a single unit or distributed across a network, simplifying deployment and management.
Another benefit of using honeypots is that they can help you better understand how attackers conduct their attacks, what tools, tactics, and procedures they use, and what vulnerabilities they exploit to break into your systems. These insights can also be valuable in assessing your current cybersecurity strategy and identifying gaps.
However, despite their effectiveness, honeypots come with several essential risks. First, they can risk your company’s reputation if someone discovers you rely on this deception technology. And second, they can create privacy and liability issues.
Endpoint Lures
Deception technologies thwart malware installations by emulating anti-virus software or throwing off malware profiling processes. According to industry analysts, they can also intercept data traffic in real time as attackers move laterally through the network.
These technologies are a new, non-invasive way to turn the tables on infiltrators, who have been reported to spend 191 days on average in an organization before being detected. That time includes reconnaissance and lateral movements that are difficult to see through the traditional defense in depth.
Security operations personnel can receive millions of alerts daily and must focus on critical ones to effectively protect the organization. That is why it is essential to use deception technology that enables the SOC team to focus on the most relevant and effective alerts for the company.
CYBERTRAP Endpoint Deception uses hidden lures that mimic production network assets such as firewalls, routers, switches, printers, and webcams. These lures are designed to look realistic in a way that would be difficult for an attacker to distinguish from the real thing.
The deception system monitors and evaluates the attacker’s behavior and then generates threat intelligence that can be integrated into SOC/SIEM systems, IPS, and firewalls to strengthen security measures in production networks holistically. By doing this, defenders can quickly identify and remediate at-risk credentials, paths, and networks to stop attacks before they can break out and cause damage to the enterprise.
Network Lures
Network Lures are designed to mimic the behavior of production network traffic. They learn from the active directory or network traffic, create decoy entities that match the production environment precisely, and constantly adapt to background changes.
For example, shipping notifications and “business transactions” email lures are still among the most popular phishing tactics in 2016. These emails often feature document attachments with embedded malicious code that the recipient must enable. This malware can download and install banking Trojans like Dridex or ransomware like Locky when opened.
These threats continue to grow as a percentage of overall malware payloads. This year, it’s estimated that at least $30 million in Dridex and Locky infections have been detected.
Deception technology can detect these attacks with almost zero false positives, but it must be able to scale across thousands of endpoints in a single environment. Additionally, it needs centralized management so administrators can quickly identify and investigate a threat before attackers can exploit it.
Deception also has the advantage of putting the burden of success on the adversary instead of the defender so that it can be applied more broadly than other solutions. It can also be integrated with other security controls to align them tightly with current business risks.
Distributed Lures
Deception technology software creates decoys, dummy proxies, honeypots, and other lures that engage potential threats and address them directly. Once a threat is identified, deception technology software quickly adjusts security posture and alerts security teams.
Unlike standalone deception tools, deception technology software integrates with other security tools like firewalls, SIEMs, NAC solutions, and EDR tools to contain attacks rapidly. It enables the detection of attackers at the earliest stages of a breach.
While many deception techniques are based on detecting the presence, others rely on a more sophisticated analysis of threat intelligence to determine the nature of a threat. This information can then be shared with other security tools through integrations so that automated, rapid-response actions are taken to shut down attacks and protect your network.
In addition to detecting a threat, deception technology can disrupt the attacker’s progress and prevent lateral movement within your environment. It is critical to preventing ransomware and other threats seeking to bypass traditional perimeter-based defenses.
For example, semantic priming of test words in word recognition increased the false-alarm rate and mean of confidence ratings to lures. It was interpreted by the Unequal Variance Signal Detection (UVSD) model as an increase in the standard deviation of the evidence distribution for the lure recognition process and by the Dual Process Signal Detection (DPSD) model as decreasing the probability of target recollection.
