Deception Technology

Deception Technology: An Advanced Cyber-Defence Strategy

What is Deception Technology?

Deception Technology is an advanced form of cyber defence, where cyber deceptions that mimic real network assets are overlayed across the enterprise network and are used to lure and detect attackers. Since legitimate users have no reason to interact with a deception, any interaction with a deception generates a high-fidelity alert.

Advantages of Deception Technology

Enhanced Threat Detection

Since deception technology does not depend on attack signatures or other static indicators, it can detect a range of threats. For threats such as Ransomware that is the most prevalent attack today and evolves rapidly, cyber deception provides an extremely timely response to detect, arrest and deny access, with minimal or no manual intervention.

Significant Reduction in False Positives

Deception technology employs deceptive assets which are not real network assets or resources. If someone engages with a deceptive asset, it can’t be for legitimate business purposes and is therefore likely an intruder. Using deception techniques gives high-fidelity detections and defense teams are not spending time working through false positives.

Coordinated Defense Response

Advanced cyber deception technology solutions like ShadowPlex integrate with a wide range of solutions such as SOAR, SIEM, EDR, AD, and Network Management Solutions, among others. They leverage integrations with these defense systems for network discovery, gathering forensic data from endpoints, breadcrumb and bait deployment on network endpoints and assets, as well as for automated response.

Threat Intelligence

Solutions that employ deception techniques to detect attacks also gather intelligence about attack TTPs (Tactics, Techniques, and Procedures) based on actual observed behavior, which can be used for forensics or threat hunting.

Easy Scalability

With deception technology, the number of decoys and their distribution across the enterprise can be easily scaled. Fluid Deception and the sharing of compute resources allows organizations to minimize the amount of compute, storage, and software licenses required.

What are the types of cyber deceptions used?

Cyber deceptions could be in the form of decoys that are added to the network. Decoys could mimic endpoints or servers running different operating systems, routers or switches, databases, web servers, OT assets such as PLCs, and a whole range of other network assets.

Other forms of deception techniques include Breadcrumbs that are deployed on existing enterprise assets, Baits that act as tripwires on endpoints and Lures that are deliberately mis-configured or vulnerable services or applications that can be effectively used in uncovering latent threats.

A special class of deceptions that has proved very effective at detecting identity threats are Honey Accounts and Honeytokens.

How is Deception Technology different from other cybersecurity measures?

Deception Technology is a new layer in the cyber defense strategy. Traditional security layers are passive and only look for attacker behaviour, activity, IoCs (Indicators of Compromise), or side effects. Deception technology actively changes the landscape to detect or respond to threats.

How does Deception Technology bring the advantage back to the defenders?

In cybersecurity, over the years, the relationship between the role of the attacker and the role of the defender has become highly asymmetric. Defenders must defend against all possible entry points that can be breached. They must learn to deal with living off-the-land tools and techniques. And the ever-growing list of easily available penetration testing tools. While the attacker has to exploit just one vulnerability or steal one VPN credential to get through these layers of security. This asymmetry highly favours the attacker.

With deception technology solutions like Acalvio ShadowPlex, anything can become a deceptive artifact. Using ShadowPlex, defenders can now embed deceptions everywhere, surround key assets with deceptions, intercept attackers in real-time, and proactively reduce the attack surface attack paths.

With Acalvio ShadowPlex deployed, the attacker has to just interact with any one of these deceptive artifacts to get detected. Even if the attacker is aware that there are deceptions deployed on the network, they can’t do much to evade authentic-looking deceptions. The tables are turned, and the attacker will be detected through these deception techniques sooner or later and contained quickly.

Can Deception Technology Effectively Counter All Types of Adversaries?

Unlike traditional security layers, deception technology is not dependent on the attacker tools, malware programming language, location of access, or the status of endpoint (managed or unmanaged). So, unlike traditional security layers, deception technology can detect both known and unknown threats, including zero day with speed and precision.

Deception Technology Detections

Deception technology can rapidly detect, engage and respond to cybersecurity attacks across hybrid cloud deployments, protecting both IT and OT networks. Solutions based on deceptive techniques can respond to new and emerging threats, including zero-day attacks.

Some of the cybersecurity attacks that can be detected include:

• Malicious network activities- network intrusion diversion, tunneling for deception traffic, network infrastructure obfuscation
• Ransomware, including ransomware propagation through Active Directory
• Advanced Persistent Threats (APTs)
• Data exfiltration
• AD attacks
• Attacks on Industrial Control Systems
• Compromised endpoints
• Early recon activities
• Ping sweeps
• Deep Recon attempts against certain services like Database Servers
• Scans, including vertical, horizontal, null scans, Xmas scans
• Lateral movement attempts
• Vulnerability exploit attempts
• Insider threats
• Pass-the-Hash attacks
• AS-REP roasting
• Kerberoasting

Is Deception Technology suitable for organizations of various sizes?

Since Deception Technology does not depend on specific installations, signatures, or other indicators of compromise to detect adversary activity, it can be scaled up or down to work with organizations of any size. Deception technology is designed for Enterprise IT, IoT and ICS environments. Customized Deceptions are available for IT & OT Networks and they cover both On-Premises and Cloud workloads, and Remote Users.