As technologies advance, and cyber threats with them, deception has become a big part of the 21st century cybersecurity battle. From bank transfer cons to CEO fraud to elaborate phishing and spear phishing campaigns, cyber criminals have been quick to use deception as a major means of infiltrating networks and systems, and for remaining undetected while inside.
But it can work the other way. Security vendors and startups use deception techniques to confuse and befuddle attackers. If an attacker is spending time and energy breaking into a decoy server, the defender is not only protecting valuable assets, but also learning about the attacker’s objectives, tools, tactics, and procedures.
That is the basic premise behind deception tools and technologies. By masking high-value assets in a sea of fake attack surfaces, attackers are disoriented and attack a fake asset, in the process alerting security teams to their presence. Deception tools can thus be an important defense against advanced persistent threats (APTs).
What is Deception Technology?
According to Gartner analyst Lawrence Pingree, attackers must “trust” the environment they insert their malware into and the web applications and services they attack over the internet.
They sneak around the fringes of the enterprise, seeking a way inside, which they might accomplish by tricking a user into clicking on a malicious link, opening an infected attachment or providing credentials and passwords, or perhaps by hacking an unpatched or zero-day vulnerability. Once inside, they can freely steal confidential information or pull off a financial heist.
“Deception exploits their trust and tempts the attacker toward alarms,” said Pingree. “Deception also can be used to move an attacker away from sensitive assets and focus their efforts on fake assets—burning their time and the attacker’s investment.”
How Does Deception Technology Work?
Deception tools are designed to trick attackers into thinking they have succeeded while also covertly luring them toward alerting security systems.
“Distributed deception platforms (DDP) are solutions that create faked systems (often real operating systems, but used as sacrificial machines), lures (such as fake drive maps and browser histories), and honeytokens (fake credentials) on real end-user systems to entice and mislead the attacker to faked assets in order to enhance detection and to delay their actions as they attack those decoy assets,” said Pingree.
Core functions of such systems include:
- Centralized management of real-user endpoint lures and decoy endpoint hosts, such as servers and workstation hosts
- The ability to manage deceptive services, web applications and other network integration capabilities of decoys
- The ability to administer endpoint lures and honeytokens to entice the attacker
- The ability to administer and distribute deceptive data, like Word documents and database tables/entries and files, in decoy host deceptions
“Modern deception technology goes beyond network decoys and endpoint lures by adding concealment, misinformation, and misdirection to the mix,” said Carolyn Crandall, chief security advocate and CMO at Attivo Networks. “Concealment hides and denies access to production data, credentials, credential stores, and Active Directory (AD) objects to prevent attackers from targeting them, thus preventing exploitation and compromise.
“Misinformation inserts fake results into queries targeting Active Directory, preventing AD enumeration. Misdirection actively interrupts reconnaissance activities by redirecting the traffic to a decoy and away from production systems.”
Obtaining the desired results depends on being able to deploy credible deceptive elements on endpoints, network or application layers in sufficient scale to catch all potential intrusions. As such, various tactics are in play: Lures are placed on endpoints to attract the attention of would-be attackers. Other decoys are located on the network layer, and a few operate within applications or within stored data to misdirect cyber criminals.
Best Deception Solutions
After reviewing a number of deception solutions, here are eSecurity Planet’s picks for the top deception technology vendors.
Jump ahead to:
Attivo Networks, acquired by SentinelOne, offers deception and concealment technology within its Endpoint Detection Net (EDN) suite. It includes credential and AD protection solutions, data concealment, and attack deflection functions designed to detect and derail lateral movement and privilege escalation activities.
- Its AD protection function uses concealment and misinformation to protect against identity-based attacks targeting Active Directory. It identifies unauthorized queries attempting to mine AD for data, hides sensitive or privileged AD query results (such as AD domain admins, domain controllers, SPNs, and others), and inserts fake results that point to decoy systems.
- Deception for identity protection includes credential protection capabilities that add concealment to protect credential stores on the endpoints, binding them to the applications that own them and denying access to any other process.
- The EDN concealment function hides and denies access to local files, folders, mapped network or cloud shares, local privileged accounts, and removable storage, preventing attackers from seeing and targeting them.
- The EDN deflection function redirects both inbound and outbound attempts to conduct port and service discovery activities by deflecting the connections to decoys systems for engagement. This misdirection prevents accurate fingerprinting and system identification, generates an early alert on the reconnaissance activity, and diverts the attempted connection away from production assets.
Illusive Network’s deception solution, Illusive Shadow, creates a hostile environment for attackers with agentless deceptions that fool attackers into revealing their presence and stop lateral movement. It can be deployed on-premises or in cloud or hybrid cloud environments. Deceptions mimic cloud assets and protect cloud-based systems.
- Illusive plants deceptions that mimic the real data, credentials, and connections the attacker needs. Confronted with a distorted view of reality, the attacker is overcome by the odds; it is impossible to choose a real path forward without activating a deception. Unknown to the attacker, one wrong choice triggers an alert.
- Incident responders can see how far the attacker is from business assets from a centralized management console. With real-time source forensics in hand, they can take informed actions to stop the attack and avert negative business impact.
- Illusive Shadow leverages 75+ deceptions and Microsoft Office Beacon Files.
- Unlike software agents, which can be disabled by attackers and can be difficult to deploy, Illusive is deployed with a dissolvable binary that leaves no trace.
- Illusive was founded by members of IDF’s Signal Intelligence Unit 8200, who developed Illusive Shadow from the view of an attacker.
- Illusive has been attacked by more than 140 red teams and has never lost a penetration test.
- Integrates with Illusive Spotlight, which automatically and continuously discovers and mitigates identity risks to provide a full lifecycle identity risk management platform.
Acalvio’s Deception Farm architecture and ShadowPlex application centralizes the deception process. Decoys such as fake hosts or honeypots are hosted in a single area on-premises or in the cloud and are projected across the enterprise network, appearing as realistic local assets.
- Fluid Deception is a method of resource efficiency that allows ShadowPlex to deliver scale and depth of decoy realism.
- It automates and simplifies the configuration and deployment of deception objects.
- Combining pre-defined playbooks with an AI-based recommendation engine, the system self-generates and places the appropriate deception objects within the environment.
- All decoys are in one place, not managed in multiple servers all over the network.
- Deception objects are automatically customized for each part of the network.
- Decoys and breadcrumbs and baits are autonomously updated to keep them fresh and relevant as network characteristics change.
- Decoys mimic hosts running operating systems as well as IoT (Internet of Things) hosts.
- Acalvio includes endpoint lures, breadcrumbs, and baits, which are fake artifacts like registry entries, credentials, shared drives, and many more that either act as tripwires in their own right or lead the attacker toward the decoys.
- The solution supports field-expandable object types and variations and automates the generation and deployment of these assets, so they blend in with their surroundings.
CyberTrap Enterprise is aimed at large companies and government agencies that are regularly exposed to targeted hacker attacks. With the integration into a SIEM, it does not deliver IOCs (incidents of compromise), which are always based on known incidents, but proof of compromise.
- CyberTrap offers real-time, customized threat intelligence information in the MITRE ATT&CK context.
- The solution helps the SOC (security operations center) team focus on critical alerts and analyze critical events.
- The Express version is an immediately available deception-as-a-service model via the cloud that is aimed at managed service providers who maintain many customers and want to offer deception technology as an additional service.
- A Pro version is aimed at small and medium-sized companies that do not have the capacity to run a complete deception solution but still need quick intrusion detection.
- The solution silently monitors and immediately reports if any abnormal activity is detected.
- Cloud, on-premises and hybrid options are available.
- Even if specific devices on the network are compromised, the rest of the infrastructure is protected.
Developed through the acquisition of Topspin Security, a pioneer in the deception space, Fidelis Deception helps reduce cyber dwell time by altering the perception of the attack surface. This hinders an adversary’s ability to move laterally undetected. Taking this proactive cyber defense approach makes it harder for adversaries to accomplish their mission and increases the attacker’s risk, giving more time to understand threats, thwart attacks, and prevent future intrusions.
- Fidelis Deception provides full situational awareness, with adaptive terrain analysis, intelligent deception technology, and comprehensive IT visibility to change the rules of engagement by reshaping the attack surface.
- Interactive decoys and breadcrumbs on real assets and in Active Directory (AD) lure cyberattackers, malicious insiders, and malware to the deception layer and catch them before they damage enterprise operations or exfiltrate data.
- The solution can detect lateral movement.
- Fidelis Deception can uncover attackers compromising Active Directory and discover attackers sniffing traffic (man-in-the-middle).
- The solution can expose use of stolen credentials.
- It can find signs of ransomware, even in encrypted files.
TrapX DeceptionGrid activates Active Defense and enables security teams to plan, deploy, test, and refine deception deployments against attack scenarios outlined in MITRE ATT&CK. Emulation technology delivers both comprehensive protection and visibility at scale. Hundreds of authentic traps, which can be deployed in just minutes, hide real assets and decrease risk.
- New lures and traps enable endpoint fitness audit capabilities that assess the state of remote worker endpoints.
- Patch levels, protection, and connections are visualized through a dashboard and heatmap.
- High-fidelity alerts supply MITRE ATT&CK context to facilitate TrapX Active Defense planning and incident response.
- TrapX Active Defense Scorecard (ADS) provides real-time intelligence and visualization of defense coverage to fine-tune tactics for continuous, adaptable protection.
- DeceptionGrid hides real assets in a crowd of imposters that interact with attackers and misinform them, allowing for rapid response and containment.
- With coverage of nearly 100 MITRE Techniques, it can test trap efficacy against these techniques in real time.
- The solution offers support for IT, OT, IoT, SCADA, ICS, and SWIFT.
Zscaler Deception has a zero-trust architecture that assumes every access or user request is hostile until both the user’s identity and the context of the request are authenticated and authorized, granting access only to the minimum required resources. Deception decoys act as tripwires in a zero-trust environment, detecting compromised users or lateral movement across the network.
- Any lateral movement is tracked in a secure, isolated environment, alerting to which type of asset the attacker is interested in, slowing them down, and allowing security teams to monitor their tactics, techniques, and procedures (TTPs).
- Full attack sequences are tracked and automated response actions are initiated across the Zscaler platform.
- Zscaler uses MITRE Engage, a trusted industry framework for discussing and planning adversary engagement, deception, and denial activities based on adversary behavior observed in the real world.
- The Zscaler Zero Trust Exchange is a modern approach that enables fast, secure connections and allows employees to work from anywhere, using the internet as the corporate network.
- The Zero Trust Exchange runs across 150 data centers worldwide.
Cynet deception technology plants various types of decoys across the environment to tempt attackers to come out of hiding and reach out to reveal their presence and former activities. It promises zero false positives—only live malicious presences can trigger a deception alert.
- Supports various types of decoys to detect threats in various stages of the attack’s lifecycle including data files, credentials, and network connections.
- In each type, the consumption action triggers the alert—login attempt with a decoy password, connection attempt with RDP or URL, and opening a data file.
- Cynet provides both off-the-shelf decoy files as well as the ability to craft your own, while taking into account your environment’s security needs.
- Text files containing false passwords are crafted and planted along attackers’ potential routes. Any attempt to log in with these passwords triggers an alert.
- Decoy connections enable the reliable detection of attackers during the hard-to-detect lateral movement stage.
Read next: Best Incident Response Tools and Software