Cyber attacks are becoming more frequent and sophisticated. The best way to protect against them is to deceive attackers, making it difficult to achieve their objectives.
Modern deception technology uses fake systems (fake operating systems, devices, and other IT assets) and lures to entice attackers once they breach the network. It can then provide contextual alerts to prevent exploitation and exfiltration.
Real-time Threat Detection
Cyberattacks can wreak havoc on a business, resulting in lost revenue and negatively impacting the company’s reputation. The faster the attack is stopped, the less damage a business experiences.
Historically, cybersecurity tools relied on keeping logs of known threats and activities and using these as triggers to detect risk. For example, a tool might keep a log of invalid logins and identify suspicious behavior as “malware activity.” These tools are adequate but limited in what they can see and do.
A more advanced type of security software combines threat intelligence with a regular, up-to-date security feed to automatically tag events and detect bad IPs and attacker infrastructure. It enables real-time threat detection and reduces the amount of manual work that an IT team or cybersecurity firm must do to identify risks.
For example, deception-based breach software uses lightweight sensors living on endpoint devices to detect insider threats. The sensors monitor all device behavior, including network traffic, for malicious activity. When a security event occurs, the sensor reports the incident to the central system for analysis. The central system can then identify the type of incident and determine an appropriate response to the situation. The result is a much faster response time to an insider threat than traditional methods, which rely on after-the-fact investigation and analysis.
Low False Positives
While CISOs dream of zero false positives, even the best security team can only detect and respond to a fraction of all threats. False positives cripple security team productivity, dragging them through time-consuming triage workflows. Deception technology delivers on the promise of fewer false positives, providing relevant and actionable real-time threat intelligence for defenders.
Deception creates realistic-but-fake assets (domains, applications, servers, databases, files, credentials, cookies, sessions, and more) and deploys them in the real network alongside legitimate assets. Attackers interacting with these fake assets trigger silent alarms that collect valuable information about the attacker’s tactics, techniques, and procedures.
The alerts from deception are far more contextual than those from point solutions and can be fed machine-to-machine into SIEM & Threat Intelligence platforms in formats that the teams are already used to working with. This threat information can then be acted upon in real-time to thwart attacks or better understand the adversary.
At one end of the spectrum, you have signature-based detection systems that are highly accurate but specific (like the propeller signature of a submarine). At the other end of the spectrum, you have behaviors and heuristics with broad threat coverage and are more prone to false positives (such as a radar contact that may be a submarine or a shoal of fish). Deception lies in between, with particular alerts from the dynamic deployment of deception assets in the real network.
Understanding the attacker’s mindset, tactics, and procedures is vital to effective cyber defense. This intelligence is critical to detecting lateral movement, insider threats, and other advanced attacks often missed by point solutions. Deception technologies deploy fake network environments, honeypots, and breadcrumbs like bogus credentials to lure attackers into the fake environment and provide valuable insight into their attack methods. This contextual intelligence enables CISOs to detect and respond to threats in real time before a breach, data exfiltration, or manipulation of business processes occurs.
When deployed across an enterprise, deception assets can be combined with other security tools and infrastructure to enable extended detection and response (XDR). Combined with machine-to-machine integration in the security operations center, this allows contextually relevant threat intelligence to be shared and acted upon – eliminating alert fatigue, the “alert swamp,” and the need for complicated triage workflows.
The time between an intrusion being detected and the appropriate countermeasures being taken is known as the response gap. It is a critical issue for most enterprises and can result in severe damage, lost productivity, and reputational risk. Deception technology can drastically reduce this response gap by alerting teams immediately when a bad actor attempts to gain lateral movement. It is achieved by deploying deception assets across an enterprise, from remote internet-based cloud services to executive mobile devices, servers, and WiFi access points.
The cyber security landscape is constantly changing. Attackers are always finding new ways to breach networks and steal critical information. Security systems must be continuously updated and upgraded to keep up. That’s why deception is so valuable. It enables security teams to detect threats, especially the ones that slip past other platforms – by creating realistic fake environments and diverting adversaries into them.
These decoys mimic the natural systems and networks that attackers target. They ensnare threat actors trying to map their path, raise credentials, gain lateral movement, or harvest data. Because they are software-based, deception assets can be deployed flexibly across the network. It enables them to capture adversaries even when hidden behind a firewall, an IoT device, or in the cloud.
As attackers engage with the fake environment, they reveal information about their tactics, techniques, and procedures (TTPs) to the security team, which can then be used to create a highly tailored threat intel capability that is refreshed and delivered to security teams in real time. It is precious because it helps reduce the response gap – the time between a breach being detected and countermeasures being implemented.
It also enables the deception system to qualify medium or ‘warm’ alerts from other platforms, such as UEBA and NGFW, by giving them more credence if they are real. It enables security teams to get the alerts to respond quickly without dealing with the often-alert fatigue resulting from false positives.