In this episode of the SecurityANGLE, our series focused on all things cybersecurity, I’m joined by my friend, fellow analyst, engineer, and frequent cohost, Jo Peterson. Today’s conversation centers on deception technology, which is a strategy designed to attract cybercriminals away from an enterprise’s true assets and divert them to a decoy or trap.
When utilizing deception technology, the decoy mimics legitimate servers, applications, and data so that the criminal is tricked into believing that they have infiltrated and gained access to the enterprise’s most important assets when in reality they have not. The strategy is employed to minimize damage and protect an organization’s true assets. By populating the network with decoys, the onus is on adversaries to carry out an attack nearly perfectly flawlessly, without falling for any of the decoys and traps laid for them.
Deception Technology: Putting Cybercriminals on Defense, watch the full episode here:
Once a security team is alerted to the presence of a cyber attacker, they can analyze the behavior of the threat actor, utilizing that intelligence to thwart their efforts. Some organizations even deploy a centralized deception server that records the movements of malicious actors — first as they gain unauthorized access and then as they interact with the decoy. The server logs and monitors any and all vectors used throughout the attack, providing valuable data that can help the IT team strengthen security and prevent similar attacks from happening in the future.
And it’s probably obvious, but important to note that in order to function properly, deception technology must not be obvious to an enterprise’s employees, contractors, or customers.
Is Deception Technology the Same as Honeypots?
One of the questions we often get on this topic is whether deception technology is the same as honeypots. The short answer is no.
Honeypots, introduced in the 1990s as the first deception technology, were designed to study attacker behavior by luring them into fake systems, rather than for threat detection. While innovative at the time, honeypots have significant limitations in today’s threat landscape.
Professional hackers can easily identify honeypots, and their deployment poses logistical challenges. The resources required for maintenance and implementation mean organizations can only deploy a limited number, reducing their effectiveness in threat detection. Success depends largely on attackers stumbling into these traps.
Modern attackers use experience, crowdsourcing, and tools to distinguish honeypots from legitimate systems. While honeypots remain valuable for forensics, threat hunting, and response development, they are no longer suitable as the primary component of a modern deception strategy. Effective deception tools must be inevitable, undetectable, and inescapable.
How Threat Deception Technology Works
Threat deception technology tricks an attacker into going after false resources within a system, mimicking the kinds of digital assets an organization would normally have in its network infrastructure. However, these are merely traps or decoys and, when a hacker goes after them, they do not damage business-critical systems.
The aim of threat deception technology is to fool an attacker into thinking they have actually penetrated the system. For example, you can make them think they are executing a successful privilege escalation attack. As they engage in activity, while they think will give them the same rights as a network admin, they are really just tooling around, not getting any extra rights, and having no significant impact on an organization’s infrastructure.
Notification System. Another key element of threat deception technology is that it features a notification system configured to record attacker activity. Once the server receives a notification, it starts recording what the hacker is doing in the specific attack vector. In this way, cyber deception technology can provide valuable intelligence regarding the attack methodologies of hackers.
Asset Evaluation. Another benefit of deception technology techniques is they enable an IT team to ascertain which assets are the most attractive to attackers. For example, while it is safe to presume that a database of user information — such as payment data, names, addresses, and social security numbers — is an attractive target, with security deception technology, you can verify that these are indeed assets hackers are after.
Another cool benefit of deception tech is that security teams can determine the exact kinds of data a hacker is after by mimicking environments that contain one or more types of information. For example, they can create fake databases containing social security numbers, names and addresses, and the account login credentials of specific company principals. Then they can observe which assets attackers choose to target. This gives more insight into what they seek and can help drive cyber defense strategies moving forward.
It’s no surprise that deception tech is gaining traction, and we expect it to become more widely embraced at a rapid pace.
The Key Benefits of Deception Technology
Deception technology delivers three key benefits and is still considered an important component of a robust cybersecurity strategy. These benefits are:
Decrease attacker dwell time on the network. The decoy assets must be attractive enough for a cyber attacker to believe they are stealing legitimate assets. However, at some point, the infiltration will stop when IT thwarts the attack from spreading — and attackers figure out that they will be discovered sooner rather than later.
Alternatively, the attacker may quickly realize that the attack is on decoy assets and that the entirety of an organization’s assets cannot be stolen. The attacker may quickly leave as a result, realizing the attempt to be a failed one, reducing dwell time on the network.
Expedite the average time to detect and remediate threats. Deception technology assets require significant resources to maintain, leading IT teams to treat any cyberattacks on these decoy systems as high-priority incidents worthy of detailed investigation. This focused attention enables teams to closely analyze the attacker’s tactics, techniques, and movement patterns. When suspicious activities or unauthorized access attempts are detected on these decoy assets, IT teams can respond swiftly and decisively. As a result, deception technology significantly reduces the time needed to identify and neutralize potential security threats.
Reduce alert fatigue. Too many security alerts can easily overwhelm an IT team, and dealing with alert fatigue is very much a reality today. With deception technology in place, the team is notified when cyber attackers breach the perimeter and are about to interact with decoy assets. Additional alerts will help them understand malicious behavior and then track the activities of the attacker.
What Kind of Cyberattacks can be Detected by Threat Deception Technology
Some of the attacks threat deception technology can detect include:
Account hijacking attacks. These attacks involve the attacker using stolen credentials to try and take control over an account.
Credential theft. Credential theft centers around an attacker gaining access to a list of credentials and then using them in a future hack.
IoT attacks. IoT attacks happen when a hacker targets IoT-connected devices, using what they may presume to be weaker access credentials — such as default passwords — to gain access to an organization’s network. Think for a moment about a hospital setting, where myriad devices are connected to the internet, some of which may not have robust password protections in place and/or endpoint management practices. This is a juicy target for threat actors.
Lateral movement attacks. Lateral movement attacks involve a hacker trying to move east to west, or laterally, through a network. They do this by first gaining access to one system and then trying to spread their attack to other systems the computer is connected to. In this way, they can take advantage of the interconnected assets within an organization.
Spear phishing. Spear phishing is when an attacker goes after a specific person or group of people in the organization, trying to trick them into providing sensitive information. Utilizing deception technology cybersecurity can help prevent these kinds of attacks as well.
Deception Technology Trends
Here are some of the deception technology trends we’re seeing across the industry —
Security data lake deployment. We are seeing a rise in security lake deployment , with enterprises implementing massive security data repositories from AWS, Google, IBM, and Snowflake. Deception technologies will continuously analyze this data to better understand normal and anomalous behavior. This is extremely valuable, as this data will serve as a baseline for deception models.
API connectivity. Aside from security data lakes, deception technology will plug into IaaS, asset management systems (or what Gartner calls cyber asset attack surface management), vulnerability management systems, attack surface management systems, cloud security posture management (CSPM), etc. This connectivity allows deception systems to get a full picture of an organization’s hybrid IT applications and infrastructure.
Generative AI. Generative AI is being used to help generate authentic-looking decoys like fake assets, fake services lures, breadcrumbs (fake resources placed on real assets), and synthetic network traffic. These are attractive deception elements, as they can be deployed strategically and automatically across a hybrid network in large volumes.
Top 8 Threat Deception Tech Platforms
It’s great to see deception tech being more widely adopted and there is every reason to believe we’ll see that continue to increase. As we close this episode and topic of the use threat deception technology as part of a cybersecurity strategy, we wanted to touch on a couple of players in the threat deception space. The top threat deception technology platforms include:
Acalvio ShadowPlex Advanced Threat Defense
Fortinet FortiDeceptor
Zscaler’s Deception
Smokescreen
SentinelOne Singularity Hologram
InsightIDR by Rapid7
Cynet Deception
Morphisec Breach Prevention Platform
Here are some highlights from these vendors and a brief overview of their offerings:
Acalvio ShadowPlex Advanced Threat Defense
Acalvio is a cyber deception technology provider that helps enterprises actively protect against advanced security threats. Their product, ShadowPlex Advanced Threat Defense (ATD), offers early threat detection with precision and speed using deception technology and AI.
The Acalvio platform is built using 25 patented technologies and can be deployed autonomously across on-premises, OT, and cloud workloads. ShadowPlex ATD casts a wide net with its various deception strategies, including decoys, breadcrumbs, baits, and lures. These deceptive elements help stop threats before they cause harm and enable the auto-triaging of detection events using advanced analytics. The high-fidelity incidents identified by the system can be forwarded to SIEM, SOAR, or IR platforms. ShadowPlex is mapped to the MITRE ATT&CK Framework and provides real-time automated endpoint quarantine and high-interaction decoys for advanced threat protection.
The platform integrates seamlessly with numerous solutions such as SOAR, SIEM, EDR, AD, network management, email servers, and software management solutions. These integrations allow ShadowPlex to leverage network discovery, gather forensic data from endpoints, deploy breadcrumbs and baits, and execute automated responses for a comprehensive security strategy.
Fortinet FortiDeceptor
Fortinet’s FortiDeceptor is a cybersecurity solution developed by Fortinet, focused on providing early detection and isolation of sophisticated human and automated attacks. As part of the Fortinet SecOps Platform, it detects and responds to in-network attacks such as stolen credential usage, lateral movement, man-in-the-middle, and ransomware.
FortiDeceptor helps shift defense strategies from reactive to proactive, with an intrusion-based detection system layered with contextual intelligence. It generates high-fidelity alerts based on real-time engagement and provides attack activity analysis and attack isolation to decrease the burden on SOC teams dealing with false-positive alerts.
Additionally, FortiDeceptor correlates incident and campaign activities, collects IOCs and TTPs and enables automated, dynamic protection across OT/IoT/IT environments by allowing on-demand creation of deception decoys based on newly discovered vulnerabilities or suspicious activity. FortiDeceptor integrates with Fortinet Security Fabric and third-party security controls, including SIEM, SOAR, EDR, and sandbox for visibility and accelerated response.
The platform captures and analyzes attack activities in real time, providing detailed forensics, and can quarantine infected endpoints away from the production network. It is designed for easy deployment and maintenance and can operate in both online and air-gapped (offline) modes, with a ruggedized version available for enhanced protection.
Zscaler: Deception with a Zero Trust Architecture and Smokescreen
It’s probably important to note that when it comes to cybersecurity, there’s no one technique that’s 100% effective, best results come when you have multiple technologies working together and sharing information, minimizing attack surfaces, and speeding up the ability to remediate incidents. We like how Zscaler, which offers a cloud-native, cloud-scalable suite of offerings, approaches this with its Zscaler Defense solution by assuming that every single access or user request is a hostile one until both the identity and the context of the request are authenticated and authorized, granting access to only the minimum required resources in what is called the “least privilege access.”
In a zero-trust environment, deception decoys act as tripwires, compromised users are detected and lateral movement is tracked, and Zscaler’s Deception serves up what they call an “easy button” for detecting and stopping sophisticated threats that target zero trust environments by proactively luring, detecting, and intercepting sophisticated active attackers with decoys and false paths.
I’ll also mention here Mumbai-based cybersecurity startup, Smokescreen, which was acquired by Zscaler in 2021, Is deception tech that’s used to blanket the network with decoys. Smokescreen offers out-of-the-box integrations with SIEMS, firewalls, EDRs, proxy, threat intel feeds, SOAR.
SentinelOne Singularity Hologram
SentinelOne’s Singularity Hologram technology uses dynamic deception techniques and a matrix of distributed network decoy systems to transform the entire network into a trap designed to deceive in-network attackers and their automated tools.
The decoys are strategically placed to engage adversaries and insiders, which helps facilitate investigations and the gathering of adversary intelligence. This tech is intended to support the identification of active compromises within a network and plays a critical role in snaring adversaries as they move laterally and interact with decoy assets and lures.
Singularity Hologram not only enables organizations to visualize and strengthen their defenses, but also complements and integrates with endpoint detection and response (EDR) and extended detection and response (XDR) strategies. Even better, it can be combined with Singularity Identity for holistic endpoint and Active Directory protections, creating a more comprehensive cybersecurity solution.
I’m also a fan of Singularity Hologram’s wide-ranging deception and decoy techniques, which are designed to entice adversaries to perform recon by mimicking production operating systems, applications, data, industrial control systems, IoT devices, and cloud functions. This approach is important, as it helps organizations reduce the time required to detect, analyze, and stop attackers while gaining valuable insights into their tactics, techniques, and procedures (TTPs).
InsightIDR by Rapid7
Rapid7’s InsightIDR is a security solution that specializes in incident detection and response, authentication monitoring, and endpoint visibility. This Extended Detection and Response (XDR) system is designed to identify unauthorized access from both internal and external threats, highlighting suspicious activities to streamline the detection process.
InsightIDR is a cloud-native, cloud-scalable solution that unifies and transforms multiple telemetry sources for improved security coverage. InsightIDR uses advanced deception technology, informed by attacker behavior research, to create honeypots, honey users, credentials, and files. These traps help detect attackers earlier during network recon and lateral movement, protecting critical data from being stolen. This strategy is complemented by user behavior analytics (UBA) and endpoint detection, ensuring intruders are detected throughout the entire attack chain.
InsightIDR also offers real-time endpoint detection and honey credential injection to deceive attackers and expose their activities. If these fake credentials are used elsewhere on the network, the system automatically alerts users. InsightIDR’s integration of advanced deception technology, UBA, and endpoint detection provides comprehensive security support for organizations.
Morphisec Breach Prevention Platform
Morphisec offers what they call “moving target defense” (MTD) or “automated moving target defense,” which is designed to counter the advanced attacks from threat actors we’re seeing today. While next gen antivirus, endpoint protection platforms, and response (EDR and XDR) solutions stop known attackes by recognizing signatures and behavior patterns, but they often don’t detect other, more advanced attacks (zero days, malware variants, supply chain attacks).
MTD prevents these threats by using system polymorphism (thus the company’s name) in memory to hide operating system and application targets in an unpredictable manner.
They use an analogy to describe this that resonated: Assume an expert thief is able to pick the lock of any door. The goal of MTD is not to build a better lock, but instead, to make the door and the door lock difficult, or even impossible, to find.
Cynet Deception
Cynet is an all-in-one managed cybersecurity platform that provides “out-of-the-box” solutions that include network detection and response (NDR), Deception, and Port Scanning. The Cynet platform utilizes deception tech to deploy decoy users and monitor for unauthorized access. Cynet’s user behavior analytics (UBA) monitors user behavior to spot and isolate compromised accounts, continuously monitoring and correlating user activities against other events, detecting lateral movement, anomalies, rapidly detect suspicious user activities and also provides visibility into user activity and logins. All of this is packaged with deception tech as part of the UBA solution.
Conclusion
There is clearly a lot going on in the world of deception technology. Some experts predict deception technology will become more pervasive in 2024 and eventually a security ops staple by the end of 2025, while some skeptics consider deception tech only for “elite” organizations like government entities like the NSA and others.
I believe that what we are seeing on the innovation front from cybersecurity vendors is that they are getting exponentially less complex: they don’t require deep technical expertise and are also fairly easily set up. There will of course always be more advanced threat detection offerings, but I think that we will see the use of some basic configurations starting to become the norm, and that’s a good thing for organizations working to improve their security ops around threat detection and response.
Image credit: Pexels, Miguel A. Padriñán
See more of my coverage here:
Zscaler ThreatLabz 2024 Ransomware Report Highlights with Brett Stone-Gross
HPE Fortifies AI-Powered Networking Portfolio with Advanced Security Features
Combatting the Cybersecurity Risks Posed by Enterprise Collaboration Tools
