Cyberattacks are scary and expensive, expected to cost the global business world $10.5 trillion by 2025. The good news is that deception technology can keep these attacks at bay, or at least diminish the element of surprise.
How Does Deception Technology Work?
Organizations use deception technology, which is basically information security technology, to detect intruders and prevent different types of attacks in their initial stages. Deception solutions enable the creation of traps in a company’s infrastructure that quickly neutralize attacks and help security personnel understand attackers’ goals and methods.
It All Started With Honeypots
The predecessors of deception technology are called honeypots. These decoy targets distract an attacker from a critical network object. When a honeypot is attacked, it registers the hacker’s actions and tools used for further analysis. Distracting attackers and pushing them to waste time researching a false object or service is an additional function of honeypots. Honeypots can imitate an employee’s workplace, a server, a separate service, et cetera.
Today, honeypots go beyond one step or location. They identify a hacker by three or four scattered actions, even if those actions are performed on different machines.
Honeypots have three drawbacks. First, each false server must be configured individually. Second, honeypots do not interact with each other and with real elements of infrastructure, which makes them look less realistic to attackers. Finally, honeypots are usually not integrated into one common system, making it challenging to configure and manage them.
Differences Between Honeypots and Deception
Again, a honeypot is a standalone entity that captures the actions of an attacker. As companies’ computer systems are constantly changing and growing, honeypots also need to be updated regularly to remain attractive to hackers. To effectively solve this task, scattered honeypots have been replaced by deception technology. It represents a centralized system that consists of connected honeypots and lures.
To deceive hackers, deception technology uses various lures such as fake user accounts, fake user data, fake backups, emulated services and network behavior. The new technology automatically changes the computer environment without leaving it static.
3 Fast Facts About Cyberattacks
- Cyberattacks are expected to cost the global business world $10.5 trillion by 2025.
- Security researchers recorded 2.8 billion malware attacks in the first half of 2022, an 11 percent increase year-to-date over 2021.
- The deception technology market is projected to hit $3.88 billion by 2028.
To describe the difference between honeypots and a deception platform, let’s use fishing nets. You’re in one rowboat and place small nets in a lake. Then you wait for the fish to come to you. The more nets you place, the more fish you are likely to catch.
The nets represent honeypots. It is necessary to set them in massive quantities in order to catch as many fish (intruders) as possible. It is also essential to constantly monitor and control them, swimming from one net to another.
Now imagine you’re in a large and more technologically advanced ship. You can now control several large nets from your ship at once. The efficiency of such fishing is much higher.
How Deception Solutions Work
When deploying deception solutions, the organization’s IT infrastructure is divided into two parts. The first is an existing company network; the second is a simulated environment consisting of traps located on real, physical devices.
Lures and traps are placed in the working infrastructure. Again, these can be false entries about setting up backups or connecting to network drives, fake user credentials and other objects. Attackers must be as convinced as possible that they are interacting with real infrastructure.
Because traps do not imply interactions between real users or services, any interaction with traps signals the activity of hackers. If an attacker gets into the real infrastructure of an organization and hacks a workstation or server, he will inevitably stumble upon lures and traps.
Traps will report an attempt to attack the company, and the operator will receive the details of what is happening including the IP address, port of the source and target, the protocol, the response time and other key information. Thus, the attacker can be detected and stopped quickly.
By monitoring the actions of hackers and preventing unacceptable activities with the help of a deceptive environment, the security team can save an organization plenty of resources and help avoid various risks.
Deception technology helps analyze the thinking and behavior of the attacker. It allows detection of an attack at an early stage and prevents future attacks even if they include things like zero-days. Thus, information security specialists get a significant advantage over hackers and have time to think and act in the event of an attack.
In the future, the organization’s security team will be able to analyze in detail the actions of hackers and learn about their tactics and tools. This information lets companies understand possible attack vectors and implement appropriate data protection mechanisms.
Lures are objects hosted on actual workstations. So as not to arouse the hacker’s suspicion, the lure looks like something ordinary and familiar. It can be an “accidentally” forgotten file with a password, a saved session, a browser bookmark, a registry entry or another object along those lines. The object contains a link and data for accessing a false network resource.
Integration with Security Tools
Last but not least is integration with other security systems. Such systems have a low number of false positives and integration with various information security tools is relevant. Here’s how integration works with several common systems.
- SIEM: Prompt notification of hacked machines, automatic search for infected systems using configured policies
- Firewalls (NGFW/UTM): Ability to block or quarantine infected nodes
- EDR: Blocking and quarantining infected stations, ability to configure automatic incident response using isolation strategies
- Sandboxes: Sending suspicious executables and other types of files for analysis
Final Thoughts on Deception Solutions
In the first half of 2022, security researchers recorded 2.8 billion malware attacks, an 11 percent increase year-to-date over 2021. In 93 percent of cases, an external attacker is able to breach an organization’s network. Hackers launch targeted phishing attacks, conduct thorough reconnaissance, and adapt their toolkits to the specifics of the victim’s infrastructure. To successfully detect such threats, traps must be accurately configured and provoke cyber crooks to attack them.
Deception appeared only a few years ago. Since then, it has steadily gained popularity among organizations of diverse types and sizes. The deception technology market is projected to hit $3.88 billion by 2028.
The deception platform’s effectiveness depends on the proper customization. It is vital that attackers cannot distinguish traps from real targets.