Deception technology is a simple but effective method of active defence which builds upon the concept of honeypots, a sacrificial system intended to attract cyberattacks.
What is a honey pot in cybersecurity?
Honeypots are typically configured for a specific purpose, for example, the tool Cowrie is designed to log brute force attacks and shell interaction from SSH and Telnet connections1. Once an attacker interacts with a honeypot, the captured data can be analysed to identify the types of attacks they are attempting. This data can then also be fed back into other systems to build new rules, for example by blocking an IP address on a firewall if malicious activity is observed. While honeypots remain useful today, they also come with several important drawbacks. Firstly, they can only be deployed in limited numbers and once deployed they require resources to maintain. They also require attackers to interact with them in a specific way; if the honeypot doesn’t recognise the interaction, then no useful data will be captured. Finally, sophisticated attackers are often able to distinguish them from legitimate systems and will subsequently avoid them.
In contrast, modern deception technology improves on traditional honeypots by implementing a range of techniques to transform the entire network into a trap. If an attacker breaches a network, deception aims to deceive them into interacting with false assets, triggering alarms, and ultimately revealing themselves to defenders. Deception technology has the additional benefit of drawing attackers away from legitimate data sources, as well as creating confusion, and slowing down an attack whilst the adversary wastes precious time and resources.
How does deception technology work?
Deception is constructed in an environment by creating and deploying decoys alongside legitimate network assets. These fake assets come in various forms, such as deceptive servers, domains, databases, credentials, and cookies. For an attacker who has breached the network, distinguishing between fake and legitimate assets becomes challenging, and for a defender, any engagement with deceptive assets can be considered highly suspicious.
Benefits of deception technology
The most significant advantage of deception is shifting the burden of success from the defender to the attacker. Once a network is populated with deceptive assets, for adversaries to be successful they must be right 100% of the time and carry out flawless attacks without interacting with a single decoy. Once the adversary does trigger an alert, security teams are made aware and can respond effectively.
An example of deception technology
A key metric when examining an environment which has already been breached is dwell time, the amount of time an adversary spends undetected in a network. A recent study revealed that from 2021 to 2022, dwell time increased by 36% to a median time of 15 days2. This is important as the longer an adversary is present in a network, the better they can understand strategic targets.
At this stage, adversaries typically aim to establish persistence and then attempt lateral movement, often leveraging Active Directory to gather critical information. For example, they may query AD for certain groups or assets, or attempt to get a list of all domain controllers. With deception technology in place, these queries are captured, and false details are given back. If an attacker then attempts to connect a deceptive server, more alerts are triggered as no one with any legitimate intentions should be interacting with them. These alerts can act as an excellent method of early detection before EDR or DLP tools have recognised a threat is present.
Why choose LRQA to manage your deception campaign?
The events collected from deceptive technologies can enrich our existing service by feeding the data into our SIEM solution. These events can provide important insights for our analysts when performing an investigation or a threat-hunting exercise. In addition, the integration of deception improves incident response capabilities, with the triggered events providing intelligence that can be used to trace their tactics, techniques, and procedures (TTPs). This in turn can help in understanding the scope of the breach and go towards developing an effective response strategy.
By opting for deception technology as a managed service with LRQA, you’ll gain access to our team of skilled cybersecurity professionals who specialize in deception techniques and tactics. Our teams can help design and deploy a tailored deception strategy that aligns with your specific security needs and threat landscape. Additionally, LRQA can provide ongoing support and maintenance, ensuring that the deception environment remains effective and up to date against evolving threats.
References
[1] Oosterhof (2022, Jul. 16). Cowrie (Version 2.4.0) [Source code]. https://github.com/cowrie/cowrie
[2] Sophos (2022, Jun. 7). Attacker Dwell Time Increased by 36%, Sophos’ Active Adversary Playbook 2022 Reveals [Online]. Available: https://sophos.com/en-us/press-office/press-releases/2022/06/attacker-dwell-time-increased-by-36-percent-sophos-active-adversary-playbook-2022-reveals