What is Deception Technology?

Deception technology is a strategy to attract cyber criminals away from an enterprise's true assets and divert them to a decoy or trap. The decoy mimics legitimate servers, applications, and data so that the criminal is tricked into believing that they have infiltrated and gained access to the enterprise's most important assets when in reality they have not. The strategy is employed to minimize damage and protect an organization's true assets.

Deception technology is usually not a primary cybersecurity strategy that organizations adopt. The goal of any security posture is protection against all unauthorized access, and deception technology can be a useful technique to have in place once a suspected breach has occurred. Diverting the cyber criminal to fake data and credentials can be key to protecting the enterprise's real assets.

Another benefit of deception technology is research. By analyzing how cyber criminals break the security perimeter and attempt to steal what they believe to be legitimate data, IT security analysts can study their behavior in depth. In fact, some organizations deploy a centralized deception server that records the movements of malicious actors—first as they gain unauthorized access and then as they interact with the decoy. The server logs and monitors any and all vectors used throughout the attack, providing valuable data that can help the IT team strengthen security and prevent similar attacks from happening in the future.

The downside or risk of deception technology is that cyber criminals have escalated the size, scope, and sophistication of their attacks, and a breach may be greater than what the deception server and its associated shadow or mock assets can handle. Further, cyber criminals may be able to quickly determine that they themselves are being tricked as the deception server and decoy assets become immediately obvious to them. As such, they can quickly abort the attack—and likely return even stronger. 

To function properly, deception technology must not be obvious to an enterprise's employees, contractors, or customers.

Threat deception technology works by tricking an attacker into going after false resources within your system. It mimics the kinds of digital assets you would normally have in your infrastructure. However, these are merely traps or decoys, and when a hacker goes after them, they do not damage business-critical systems.

The aim of threat deception technology is to fool an attacker into thinking they have actually penetrated the system. For example, you can make them think they are executing a successful privilege escalation attack. As they engage in activity they think will give them the same rights as a network admin, they are really just tooling around, not getting any extra rights, and having no significant impact on your infrastructure.

Another key element of threat deception technology is a notification system configured to record attacker activity. Once the server receives a notification, it starts recording what the hacker is doing in the specific area they are attacking. In this way, cyber deception technology is able to provide valuable intelligence regarding the attack methodologies of hackers.

Another benefit of deception technology techniques is they enable an IT team to ascertain which assets are the most attractive to attackers. For example, while it is safe to presume that a database of user information—such as payment data, names, addresses, and social security numbers—is an attractive target, with security deception technology, you can verify that these are indeed assets hackers are after.

Further, you can determine the exact kinds of data a hacker is after by mimicking environments that contain one or more types of information. For example, you can create fake databases containing social security numbers, names and addresses, and the account login credentials of specific company principals. Then you can observe which assets attackers choose to target. This gives you more insight into what they are looking for.

Deception technology delivers several key benefits and is still considered an important component of a robust cybersecurity strategy.

The decoy assets must be attractive enough for a cyberattacker to think that they are stealing legitimate assets. However, at some point, the infiltration will stop when IT thwarts the attack from spreading—and attackers figure out that they will be discovered sooner rather than later.

Alternatively, the attacker may quickly realize that the attack is on decoy assets and that the entirety of an organization's assets cannot be stolen. The attacker may quickly leave as a result, realizing the attempt to be a failed one. As such, deception technology decreases the attacker's dwell time on the network.

Because of the resources involved in deception technology, IT teams typically consider a cyberattack on decoy assets a "special" mission, concentrating their efforts on studying its behaviors and movements. Because of this focus, when unauthorized access is discovered or unusual behaviors are observed on the decoy assets, IT will move quickly. Therefore, deception technology expedites the average time to discover and address threats.

Too many security alerts can easily overwhelm an IT team. With deception technology in place, the team is notified when cyberattackers breach the perimeter and are about to interact with decoy assets. Additional alerts will help them understand malicious behavior and then track the activities of the attacker.

A honeypot is the precursor to today's multi-faceted and more advanced cyber deception. Unfortunately, it no longer represents a good strategy for distracting attackers and protecting an enterprise's true assets.

A classic honeypot is a single asset, such as a large database of fake usernames, passwords, and other credentials. The idea behind honeypots is to have the intruder, after gaining unauthorized access to the network, follow a trail of breadcrumbs from the point of entry to the honeypot. Once the attacker accesses the honeypot, IT is alerted and the honeypot is rendered inactive.

A honeypot is just one security product. As the scale and complexity of cyberattacks increase, a single honeypot may not be enough to lure and engage a cyberattacker. On the other hand, it may be adequate to prompt an attacker to quickly leave. A deception technology strategy protects an enterprise's true assets while diverting attention to false ones, all the while studying the attacker's strategies, tactics, and behaviors to strengthen the enterprise's defenses for next time. 

A standalone honeypot may not provide enough of an incentive for today's sophisticated cyberattacker. It may also not provide enough data to help IT security become stronger.

The benefits of deception technology include minimizing damage to a network and the ability to observe and study the real-world tools used by cyber criminals. However, deception technology needs to be sophisticated enough to be convincing—it must create an environment that is indistinguishable from an organization's true environment.

IT teams can lean on machine learning (ML) and artificial intelligence (AI) to adjust the environment dynamically as the assault on the decoy assets occurs. These changes can be similar to the changes IT sees—and what the cyberattacker is also likely to see—in network automation, network access control, or user and entity behavior analytics (UEBA) programs. ML and AI can create these dynamic deception environments that free the IT team from constantly creating specialized, standalone deception campaigns.

Additionally, cybersecurity deception technology can be layered with additional tools that help IT security teams identify cyber criminals. For example, a database of fake credentials can have tracking information embedded in the files. Opening a file can trigger an alert to the organization or to law enforcement officials. Also, sink-hole servers can be used for traffic redirection, tricking bots and malware into reporting to law enforcement rather than to their owner, the cyberattacker.

FortiDeceptor is the Fortinet solution that enables organizations to create a fabricated deception network. FortiDeceptor provides automatic deployment of decoy assets, enticing attackers to engage long enough for IT to capture vital data before thwarting the attack. FortiDeceptor integrates with an enterprise's existing infrastructure, removing the need to purchase and provision special endpoints and servers to create the fabricated environment.

Deception technology is a strategy to attract cyber criminals away from an enterprise's true assets and divert them to a decoy or trap. 

Threat deception technology works by tricking an attacker into going after false resources within your system. It mimics the kinds of digital assets you would normally have in your infrastructure.

Deception technology delivers several key benefits and is still considered an important component of a robust cybersecurity strategy.