Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 AM
Connect Directly
E-Mail vvv

Advanced Deception: How It Works & Why Attackers Hate It

While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.

The second of a two-part post on deception.                                       

Distributed deception platforms have grown well beyond basic honeypot trapping techniques and are designed for high-interaction deceptions, early detection, and analysis of attackers' lateral movement. Additionally, deception platforms change the asymmetry of an attack by giving security teams the upper hand when a threat enters their network and forcing the attackers to be right 100% of the time or have their presence revealed, and by providing decoys that obfuscate the attack surface and through valuable threat intelligence and counterintelligence that is required to outmaneuver the advanced human attacker.

Given the increasing number and sophistication of today's breaches, it's not surprising that deception is gaining widespread attention. Neil MacDonald from analyst group Gartner recently recommended it as a 2017 top 10 cybersecurity initiative. Research and Markets has noted the global deception market is expected to grow to $2.12 billion by 2021.

There are a variety of deception solutions available that range from very simple traps to fully automated deception platforms. While individual deceptions offer benefits within their approach, this post focuses on the features common to the distributed deception platforms available on the market that are most actively sought out based on their comprehensive detection and response to advanced threats.

How Deception Works
Fundamentally, deception is designed to detect attackers when they conduct reconnaissance by moving laterally from the initially compromised system, and when they seek to harvest credentials from other systems. The assumption with deception is that no one should be engaging with the deception servers, decoys, lures, or bait because they provide no production capabilities that employees would access. Deception assets aren't advertised to employees, so any reconnaissance activity is a red flag and any engagement should prompt immediate action to prevent attackers from escalating their invasion.

Changing the Asymmetry on Attackers
Deception technology plays an instrumental role in changing the asymmetry of attacks. However, for deception to work, you need authenticity and attractiveness to fool savvy human attackers. Active Directory credential verification authenticates deception credentials as attractive targets. Deception that runs real operating systems and provides customization to match the production environment will appear authentic and trick attackers into revealing their presence. Facades built on emulation can be identified quickly and avoided by attackers. Dynamic behavioral deception techniques improve deception with machine learning that adapts to the behavior of the network, applications, and device profiles and continually refresh to remain attractive.

Additionally, adaptive deception lets organizations reset the deception synthetic network on demand. If you're suspicious of attack activity, resetting the attack surface will avoid attacker fingerprinting that could be used to mark and avoid decoys, create uncertainty, and increase the likelihood of an attacker making a mistake. The increased complexity and cost of restarting will slow an attack and serve as a deterrent, driving the attacker to start over or seek out an easier target.

Early and Accurate Detection
Deception-based detection is designed to detect in-network attackers early, regardless of the attack vector. Unlike other forms of detection, the solution does not require time to learn the network and is effective upon deployment. The network, endpoint, data, application, and Active Directory deceptions work collectively to detect lateral movement, credential theft, man-in-the-middle efforts, and Active Directory attacks.

Comprehensive Deployment
Today's threat landscape and attack surfaces are ever-changing, and detection methods must adapt to provide early detection of threats at the endpoint, and as they move through the network. Comprehensive deception technology scales to the evolving attack surfaces and detects threats throughout user networks, remote office/branch offices, and data centers, and supports data migration to the cloud as well as specialized networks such point-of-sale systems. Out-of-band deployments provide the best operational efficiency and scalability, and agentless endpoint deception simplifies deployment and manageability. If your organization uses an endpoint detection and response solution, look for vendors with integrations that provide automated deployment and integrated management options.

Attack Analysis, Forensic Reporting, and Integrations
Deception platforms with attack threat analysis will save time in automating the analysis and correlation of indicators of compromised information, which can then be used to accelerate incident response. Threat intelligence and forensic evidence reporting let organizations capture and catalogue all attack activity to support understanding of the attacker's objectives, which can lead to better overall security. Deception solutions capture attacker behavior and through integrations share the full tactics, techniques, and procedures of the engagement with firewalls, security and event management systems, network access control products, and endpoint devices. These integrations also empower automated blocking and isolation of infected endpoints.

Through the use of files that contain fake sensitive data, and beaconing technology that calls back when accessed by attackers, counterintelligence can be gathered on which types of files were stolen and for insight into where the data ends up.

High-Interaction Deception
Deception slows the attack as threat actors get lost in the deception environment while thinking they are escalating their attack. The use of adaptive deception creates complexity for the attacker by dynamically changing the perceived attack surface on attackers, increasing their cost, and acting as a deterrent. Notably, this ability to obfuscate the attack surface has proven itself with pen testers, who have also fallen prey to the deception environment and been tracked for days, only to find themselves defeated.

In addition, high-interaction deception for ransomware can slow down an attack by 25x or more. Deception-mapped drives lure attackers and feed them reams of fake data to keep them busy while the infected system is isolated from the network.

Ease of Operations and Risk Insight
Deception makes it easy to deploy solutions for detecting and responding to threats —important in this age of staff shortages. Deception not only strengthens defenses with early and accurate engagement-based detection but also plays a critical role in deterring attacks with visibility tools to assess likely attack paths, time-lapsed maps of attacker movement, and integrations for accelerated incident response. 

While cyberattacks grow in number and sophistication, deception-based technology is providing accurate, scalable detection and response to in-network threats. Organizations increasingly are turning to deception to close the detection deficit and to gain an advantage over attackers with the ability to perform counterintelligence, increase their costs, and slow their attacks. 

Read part one: Deception: Why It's Not Just Another Honeypot.

Related Content:

Carolyn Crandall is the Chief Security Advocate and CMO at Attivo Networks, the leader in cyber deception and attacker lateral movement detection. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/12/2018 | 8:36:52 AM
Re: First problem that comes to mind is
How much risk by not knowing?  Answer:  Equifax - near total destruction of trust.

How much will it cost:  Answer: Equifax shareholder value loss and potential loss of C-Suite job.

I think executives would understand the simple answer. 
User Rank: Author
1/11/2018 | 2:41:30 PM
Re: First problem that comes to mind is
It is extremely difficult for CISOs to understand the value behind over 3000 security offerings. Deception technology gets no special exemption from this challenge. The question to ask the C-Suite is how confident are they in knowing if threats have bypassed security controls and are mounting an attack within their network. If they are not 100% confident (who really can be sure?), then deception is an accurate and efficient solution for early threat detection. Does it work? It's pretty easy to test in a POC or stand up during a Pen Test. So, it really boils down to how much risk are they willing to take by not knowing and what will it cost if they are wrong.
User Rank: Ninja
1/5/2018 | 1:22:49 PM
First problem that comes to mind is
Getting approval from the dumb C-Suite to spend actual and for real MONEY on a server structure that does NOTHING perse but emulates something else.  They would not get the benefits and risk-rewards involved and view it as a line-item expense only. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information.