NEVER ATTEMPT TO WIN BY FORCE WHAT CAN BE WON BY DECEPTION
VP, Information Security
Despite the protective and detective security controls in place, attackers continue to deceive organizations and steal sensitive data by infiltrating the networks, moving laterally, gaining elevated unauthorized privileges and dwelling inside the networks undetected for a long time.
Organizations simply cannot keep up with the ever-changing attack methods against ever-increasing attack surfaces introduced with the evolving technologies such as IoT, cloud, DevOps, microservices, APIs, containers, and many more. As such, cyber security resiliency becomes crucial since it is not the strongest or the most intelligent organizations but most adaptable ones against cyber-attacks will be able to survive. One way to achieve this is to be prepared to detect early reconnaissance, lateral movement, and credential theft regardless of the methods used to compromise your network.
This is where deception technology comes into picture. Deception technology uses network, endpoint and data traps and lures to detect an adversary. Attractive traps and lures are projected throughout the network along with realistic endpoint credentials, mapped shares, deception sensitive data or fake applications that will deceive and misdirect an attacker into revealing themselves to an engagement server that will alert on the presence of an attacker.
Since the deception technology is not reliant on signatures or database look up, it is extremely reliable and capable of detecting attackers instantly while gaining the visibility needed to derail these attacks and remediate compromised devices. Thanks to its zero false positive alerts, organizations can eliminate the burden of operational overhead and cost associated with traditional detection methods. Let’s have a closer look at the deception technology.
What does deception technology cover?
Deception technology covers on-premises and cloud network, endpoints, applications, and data.
- Network: Authentic network decoys are used to attract attackers during reconnaissance and lateral movement, whether on-premises or in the cloud.
- Endpoint: Credentials, user data, and mapped shares attract and breadcrumb attackers into deception environment, quickly revealing attacks on endpoints.
- Application: Create deception environments that appear as production applications such as SWIFT, web services, print services, cloud storage buckets, serverless functions, or container apps.
- Data: Plant deceptive files, cloud access tokens, or other data elements to gain a better understanding of areas being targeted for theft and geolocation services.
How realistic are the decoys?
Believability is critical to enticing the attacker. As such, real operating systems, services, devices, and applications that match the production environments are used, such as:
- Decoy devices: Decoys that mirror production devices such as Cisco Switches, routers, telephony, IoT, medical IoT, Point of Sales machines.
- Decoy services: Camera streaming, file transfer, print server, remote access, web server, etc.
- Decoy applications: Big data, databases, swift, web portal, etc.
What is the best strategy to implement the deception technologies:
- Identify network segments and endpoints suitable for deception capabilities
- Deploy and manage decoys and lures (fake credentials, data files, decoy devices, services etc.)
- Perform red team exercise against production environments and validate effectiveness
- Integrate deception technology with enterprise security tools, forensics and incident response capabilities
- Develop process and procedures as well as roles and responsibilities around the deception technology
Cyber Electra has successfully implemented deception technologies to help organizations accurately and efficiently detect breaches and reduce attacker dwell time.