Deception Strategy in Zero Trust Environments

A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. In a zero trust environment, identity stores are a primary attack surface where any compromise of identity can create significant risk. Endpoints and any credentials they contain are also a persistent source of risk; when an adversary escalates privileges and/or modifies rules to move laterally into previously protected areas.

Attendees joined this webinar with the Senior Cyber Solution Architect at Booz Allen Hamilton hosted by SANS expert on Cyber Deception to get an overview of zero trust architecture (ZTA) and how active defense based on deception technologies can support it.

Deception technology is part of a sensor suite for cyber defense, and it’s informed by offensive adversary tactics, techniques, and procedures (TTPs). This technology covertly detects threats that complement traditional sensors like endpoint detection and response (EDR) and extended detection and response (XDR). Identity-specific deceptions can help detect attacks against identity stores, adding an additional layer of protective value to a zero trust deployment. By seeding deceptive elements for endpoints, accounts, and tokens in a network, any enumeration to those machines or use of those accounts notifies an operations center that security has been compromised. Deception technologies not only provide clear signals of activity that warrant investigation and action but also reduce data-processing costs and singular reliance on analytics for true/positive alerts.