Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 AM
Connect Directly
E-Mail vvv

Advanced Deception: How It Works & Why Attackers Hate It

While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.

The second of a two-part post on deception.                                       

Distributed deception platforms have grown well beyond basic honeypot trapping techniques and are designed for high-interaction deceptions, early detection, and analysis of attackers' lateral movement. Additionally, deception platforms change the asymmetry of an attack by giving security teams the upper hand when a threat enters their network and forcing the attackers to be right 100% of the time or have their presence revealed, and by providing decoys that obfuscate the attack surface and through valuable threat intelligence and counterintelligence that is required to outmaneuver the advanced human attacker.

Given the increasing number and sophistication of today's breaches, it's not surprising that deception is gaining widespread attention. Neil MacDonald from analyst group Gartner recently recommended it as a 2017 top 10 cybersecurity initiative. Research and Markets has noted the global deception market is expected to grow to $2.12 billion by 2021.

There are a variety of deception solutions available that range from very simple traps to fully automated deception platforms. While individual deceptions offer benefits within their approach, this post focuses on the features common to the distributed deception platforms available on the market that are most actively sought out based on their comprehensive detection and response to advanced threats.

How Deception Works
Fundamentally, deception is designed to detect attackers when they conduct reconnaissance by moving laterally from the initially compromised system, and when they seek to harvest credentials from other systems. The assumption with deception is that no one should be engaging with the deception servers, decoys, lures, or bait because they provide no production capabilities that employees would access. Deception assets aren't advertised to employees, so any reconnaissance activity is a red flag and any engagement should prompt immediate action to prevent attackers from escalating their invasion.

Changing the Asymmetry on Attackers
Deception technology plays an instrumental role in changing the asymmetry of attacks. However, for deception to work, you need authenticity and attractiveness to fool savvy human attackers. Active Directory credential verification authenticates deception credentials as attractive targets. Deception that runs real operating systems and provides customization to match the production environment will appear authentic and trick attackers into revealing their presence. Facades built on emulation can be identified quickly and avoided by attackers. Dynamic behavioral deception techniques improve deception with machine learning that adapts to the behavior of the network, applications, and device profiles and continually refresh to remain attractive.

Additionally, adaptive deception lets organizations reset the deception synthetic network on demand. If you're suspicious of attack activity, resetting the attack surface will avoid attacker fingerprinting that could be used to mark and avoid decoys, create uncertainty, and increase the likelihood of an attacker making a mistake. The increased complexity and cost of restarting will slow an attack and serve as a deterrent, driving the attacker to start over or seek out an easier target.

Early and Accurate Detection
Deception-based detection is designed to detect in-network attackers early, regardless of the attack vector. Unlike other forms of detection, the solution does not require time to learn the network and is effective upon deployment. The network, endpoint, data, application, and Active Directory deceptions work collectively to detect lateral movement, credential theft, man-in-the-middle efforts, and Active Directory attacks.

Comprehensive Deployment
Today's threat landscape and attack surfaces are ever-changing, and detection methods must adapt to provide early detection of threats at the endpoint, and as they move through the network. Comprehensive deception technology scales to the evolving attack surfaces and detects threats throughout user networks, remote office/branch offices, and data centers, and supports data migration to the cloud as well as specialized networks such point-of-sale systems. Out-of-band deployments provide the best operational efficiency and scalability, and agentless endpoint deception simplifies deployment and manageability. If your organization uses an endpoint detection and response solution, look for vendors with integrations that provide automated deployment and integrated management options.

Attack Analysis, Forensic Reporting, and Integrations
Deception platforms with attack threat analysis will save time in automating the analysis and correlation of indicators of compromised information, which can then be used to accelerate incident response. Threat intelligence and forensic evidence reporting let organizations capture and catalogue all attack activity to support understanding of the attacker's objectives, which can lead to better overall security. Deception solutions capture attacker behavior and through integrations share the full tactics, techniques, and procedures of the engagement with firewalls, security and event management systems, network access control products, and endpoint devices. These integrations also empower automated blocking and isolation of infected endpoints.

Through the use of files that contain fake sensitive data, and beaconing technology that calls back when accessed by attackers, counterintelligence can be gathered on which types of files were stolen and for insight into where the data ends up.

High-Interaction Deception
Deception slows the attack as threat actors get lost in the deception environment while thinking they are escalating their attack. The use of adaptive deception creates complexity for the attacker by dynamically changing the perceived attack surface on attackers, increasing their cost, and acting as a deterrent. Notably, this ability to obfuscate the attack surface has proven itself with pen testers, who have also fallen prey to the deception environment and been tracked for days, only to find themselves defeated.

In addition, high-interaction deception for ransomware can slow down an attack by 25x or more. Deception-mapped drives lure attackers and feed them reams of fake data to keep them busy while the infected system is isolated from the network.

Ease of Operations and Risk Insight
Deception makes it easy to deploy solutions for detecting and responding to threats —important in this age of staff shortages. Deception not only strengthens defenses with early and accurate engagement-based detection but also plays a critical role in deterring attacks with visibility tools to assess likely attack paths, time-lapsed maps of attacker movement, and integrations for accelerated incident response. 

While cyberattacks grow in number and sophistication, deception-based technology is providing accurate, scalable detection and response to in-network threats. Organizations increasingly are turning to deception to close the detection deficit and to gain an advantage over attackers with the ability to perform counterintelligence, increase their costs, and slow their attacks. 

Read part one: Deception: Why It's Not Just Another Honeypot.

Related Content:

Carolyn Crandall is the Chief Deception Officer and CMO at Attivo Networks, the leader in deception for cybersecurity threat detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/12/2018 | 8:36:52 AM
Re: First problem that comes to mind is
How much risk by not knowing?  Answer:  Equifax - near total destruction of trust.

How much will it cost:  Answer: Equifax shareholder value loss and potential loss of C-Suite job.

I think executives would understand the simple answer. 
User Rank: Author
1/11/2018 | 2:41:30 PM
Re: First problem that comes to mind is
It is extremely difficult for CISOs to understand the value behind over 3000 security offerings. Deception technology gets no special exemption from this challenge. The question to ask the C-Suite is how confident are they in knowing if threats have bypassed security controls and are mounting an attack within their network. If they are not 100% confident (who really can be sure?), then deception is an accurate and efficient solution for early threat detection. Does it work? It's pretty easy to test in a POC or stand up during a Pen Test. So, it really boils down to how much risk are they willing to take by not knowing and what will it cost if they are wrong.
User Rank: Ninja
1/5/2018 | 1:22:49 PM
First problem that comes to mind is
Getting approval from the dumb C-Suite to spend actual and for real MONEY on a server structure that does NOTHING perse but emulates something else.  They would not get the benefits and risk-rewards involved and view it as a line-item expense only. 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.