What is Deception Technology?
Deception technology is a strategy to attract cyber criminals away from an enterprise's true assets and divert them to a decoy or trap. The decoy mimics legitimate servers, applications, and data so that the criminal is tricked into believing that they have infiltrated and gained access to the enterprise's most important assets when in reality they have not. The strategy is employed to minimize damage and protect an organization's true assets.
Deception technology is usually not a primary cybersecurity strategy that organizations adopt. The goal of any security posture is protection against all unauthorized access, and deception technology can be a useful technique to have in place once a suspected breach has occurred. Diverting the cyber criminal to fake data and credentials can be key to protecting the enterprise's real assets.
Another benefit of deception technology is research. By analyzing how cyber criminals break the security perimeter and attempt to steal what they believe to be legitimate data, IT security analysts can study their behavior in depth. In fact, some organizations deploy a centralized deception server that records the movements of malicious actors—first as they gain unauthorized access and then as they interact with the decoy. The server logs and monitors any and all vectors used throughout the attack, providing valuable data that can help the IT team strengthen security and prevent similar attacks from happening in the future.
The downside or risk of deception technology is that cyber criminals have escalated the size, scope, and sophistication of their attacks, and a breach may be greater than what the deception server and its associated shadow or mock assets can handle. Further, cyber criminals may be able to quickly determine that they themselves are being tricked as the deception server and decoy assets become immediately obvious to them. As such, they can quickly abort the attack—and likely return even stronger.
To function properly, deception technology must not be obvious to an enterprise's employees, contractors, or customers.
How Threat Deception Technology Works
Threat deception technology works by tricking an attacker into going after false resources within your system. It mimics the kinds of digital assets you would normally have in your infrastructure. However, these are merely traps or decoys, and when a hacker goes after them, they do not damage business-critical systems.
The aim of threat deception technology is to fool an attacker into thinking they have actually penetrated the system. For example, you can make them think they are executing a successful privilege escalation attack. As they engage in activity they think will give them the same rights as a network admin, they are really just tooling around, not getting any extra rights, and having no significant impact on your infrastructure.
Another key element of threat deception technology is a notification system configured to record attacker activity. Once the server receives a notification, it starts recording what the hacker is doing in the specific area they are attacking. In this way, cyber deception technology is able to provide valuable intelligence regarding the attack methodologies of hackers.
Another benefit of deception technology techniques is they enable an IT team to ascertain which assets are the most attractive to attackers. For example, while it is safe to presume that a database of user information—such as payment data, names, addresses, and social security numbers—is an attractive target, with security deception technology, you can verify that these are indeed assets hackers are after.
Further, you can determine the exact kinds of data a hacker is after by mimicking environments that contain one or more types of information. For example, you can create fake databases containing social security numbers, names and addresses, and the account login credentials of specific company principals. Then you can observe which assets attackers choose to target. This gives you more insight into what they are looking for.
Why is Deception Technology Important?
Deception technology delivers several key benefits and is still considered an important component of a robust cybersecurity strategy.
Decrease Attacker Dwell Time on the Network
The decoy assets must be attractive enough for a cyberattacker to think that they are stealing legitimate assets. However, at some point, the infiltration will stop when IT thwarts the attack from spreading—and attackers figure out that they will be discovered sooner rather than later.
Alternatively, the attacker may quickly realize that the attack is on decoy assets and that the entirety of an organization's assets cannot be stolen. The attacker may quickly leave as a result, realizing the attempt to be a failed one. As such, deception technology decreases the attacker's dwell time on the network.
Expedite the Average Time To Detect and Remediate Threats
Because of the resources involved in deception technology, IT teams typically consider a cyberattack on decoy assets a "special" mission, concentrating their efforts on studying its behaviors and movements. Because of this focus, when unauthorized access is discovered or unusual behaviors are observed on the decoy assets, IT will move quickly. Therefore, deception technology expedites the average time to discover and address threats.
Reduce Alert Fatigue
Too many security alerts can easily overwhelm an IT team. With deception technology in place, the team is notified when cyberattackers breach the perimeter and are about to interact with decoy assets. Additional alerts will help them understand malicious behavior and then track the activities of the attacker.
What Cybersecurity Attacks Can Be Detected by Threat Deception Technology?
Some of the attacks threat deception technology can detect include:
- Account hijacking attacks: These involve the attacker trying to take over someone’s account using stolen credentials.
- Credential theft: This type of theft centers around an attacker gaining access to a list of credentials and then using them in a future hack.
- IoT attacks: These happen when a hacker targets Internet-of-Things (IoT) devices, using what they may presume to be weaker access credentials—such as default passwords—to gain access to an organization’s network.
- Lateral movement attacks: These involve a hacker trying to move east to west, or laterally, through a network. They do this by first gaining access to one system and then trying to spread their attack to other systems the computer is connected to. In this way, they can take advantage of the interconnected assets within your organization.
- Spear phishing: This takes place when an attacker goes after a specific person or group of people in the organization to try to trick them into providing sensitive information, but with deception technology cybersecurity, you can learn how to prevent these kinds of attacks, too.
Preventive Measures with Deception Technology?
Early Post-breach Detection
While no breach is ever welcome, studying the entry point and subsequent behaviors of cyberattackers holds valuable information for IT security analysts. They can analyze attacker activity and glean key data that can be used to reinforce the network and better protect the enterprise from future attacks.
The more convincing the deception technology, including the server and associated applications and data, the longer the mock attack goes on and the more data IT can pull.
Reduced False Positives and Risk
With multiple security point products and systems in place to monitor identity, authorization, and activity, the number and frequency of alerts that IT receives can quickly become overwhelming. Much of it can be noise, and even false positives, causing the IT team to react when they do not need to—and conversely, failing to react when they need to because of too many alert notifications.
Deception technology reduces the incidences of false positives. The first and succeeding alerts to the breach can allow IT to focus on the cyberattacker's movements. Also, risk is mitigated because the attacker interacts with fake applications and assets.
Scale and Automate at Will
Scaling deception technology requires relatively less cost and effort. The decoy server can be used and reused, and it is easy to generate fake data, such as non-existent account numbers and passwords. Any automation tools used for other components of the cybersecurity suite can also be used for deception technology.
From Legacy To IoT
Further to its ability to scale and integrate with existing hardware and software, deception technology can be used with both legacy systems and newer Internet-of-Things (IoT) installations. Cyber criminals often prefer to breach legacy systems, thinking they are easier to infiltrate because the organization has not spent the time updating or reinforcing them.
Are Honeypots Still a Good Deception Technology?
A honeypot is the precursor to today's multi-faceted and more advanced cyber deception. Unfortunately, it no longer represents a good strategy for distracting attackers and protecting an enterprise's true assets.
A classic honeypot is a single asset, such as a large database of fake usernames, passwords, and other credentials. The idea behind honeypots is to have the intruder, after gaining unauthorized access to the network, follow a trail of breadcrumbs from the point of entry to the honeypot. Once the attacker accesses the honeypot, IT is alerted and the honeypot is rendered inactive.
A honeypot is just one security product. As the scale and complexity of cyberattacks increase, a single honeypot may not be enough to lure and engage a cyberattacker. On the other hand, it may be adequate to prompt an attacker to quickly leave. A deception technology strategy protects an enterprise's true assets while diverting attention to false ones, all the while studying the attacker's strategies, tactics, and behaviors to strengthen the enterprise's defenses for next time.
A standalone honeypot may not provide enough of an incentive for today's sophisticated cyberattacker. It may also not provide enough data to help IT security become stronger.
Dynamic Deception and Its Importance
The benefits of deception technology include minimizing damage to a network and the ability to observe and study the real-world tools used by cyber criminals. However, deception technology needs to be sophisticated enough to be convincing—it must create an environment that is indistinguishable from an organization's true environment.
IT teams can lean on machine learning (ML) and artificial intelligence (AI) to adjust the environment dynamically as the assault on the decoy assets occurs. These changes can be similar to the changes IT sees—and what the cyberattacker is also likely to see—in network automation, network access control, or user and entity behavior analytics (UEBA) programs. ML and AI can create these dynamic deception environments that free the IT team from constantly creating specialized, standalone deception campaigns.
Additionally, cybersecurity deception technology can be layered with additional tools that help IT security teams identify cyber criminals. For example, a database of fake credentials can have tracking information embedded in the files. Opening a file can trigger an alert to the organization or to law enforcement officials. Also, sink-hole servers can be used for traffic redirection, tricking bots and malware into reporting to law enforcement rather than to their owner, the cyberattacker.
How Fortinet Can Help
FortiDeceptor is the Fortinet solution that enables organizations to create a fabricated deception network. FortiDeceptor provides automatic deployment of decoy assets, enticing attackers to engage long enough for IT to capture vital data before thwarting the attack. FortiDeceptor integrates with an enterprise's existing infrastructure, removing the need to purchase and provision special endpoints and servers to create the fabricated environment.