Browse Definitions :
Definition

deception technology

Deception technology, commonly referred to as cyber deception, is a category of security tools and techniques designed to detect and divert an attacker’s lateral movement once they are inside the network. Deception technology enables defenders to identify a wide variety of attack methods without relying on known signatures or pattern matching.

The technology is known for issuing reliable alerts because any engagement with deceptive technology is by definition "unauthorized." In addition to obfuscating the attack surface and making it challenging for attackers to look around undetected, deception technology will also redirect the attacker to an engagement server that will gather intelligence about the attacker’s tools, methods and behaviors. Third-party integrations can be used to automate appropriate response actions, including isolation, blocking, and threat hunting.

Gartner predicts that by 2022, 25% of all threat detection and response projects will include deception features and functionality.

Growth of the Deception Technology market

Increased adoption of deception technology has stemmed from the need for scalable threat detection across a wide variety of attack surfaces, including: 

  • Active Directory (AD)
  • software applications,
  • virtual private clouds
  • Internet of Things (IoT)
  • SCADA
  • PoS systems

 Breaches such as the Solar Winds incident, have also brought to light the magnitude of the need for detecting lateral movement and privilege escalations.

Standards organizations are also embracing deception, with the National Institute of Standards and Technology (NIST) adding the technology to several recent guidelines. Similarly, the MITRE ATT&CK framework helps organizations understand how deception fits in their security stack to derail attack techniques and tactics – specifically around discovery, lateral movement, privilege escalation and collection.

How Deception Works

Once thought to be only for large organizations with mature security teams, deception platforms have evolved into a practical and effective solution for companies of all sizes.

Companies seek out cyber deception for comprehensive attack surface protection, early detection, and a better understanding of their adversaries. Deception platforms meet these needs through their deployment scalability, ease of use for operators and an ability to work seamlessly with security solutions already in place.

Unlike security information and event management (SIEM) solutions that use event logs to report what happened, deception proactively reports on what could happen.  Deception is based on detecting techniques vs. a reliance on signatures or pattern matching, which also leads to its efficacy.

Deception technology will alert on early discovery, reconnaissance and privilege escalation activities. Defenders can set lures and decoys, hide production assets and misdirect attackers with disinformation that will derail their attack. The decoys mimic genuine IT assets throughout the network and run either a real or emulated operating system (OS). The decoys provide services designed to trick the attacker into thinking they have found a vulnerable system. The technology can also reduce the attack surface by finding and remediating exposed credentials that create attack paths.

Upon attacker interaction with a deceptive asset, the security team will receive a high fidelity, engagement-based alert with intelligence gathered about the attack. By gaining insight into the attacker’s tools, methods and intent, the defender will have the necessary knowledge to shut down the attack, strengthen overall defense strategies and level the playing field with their opponent.

The attacker will also get an unclear picture of the attack surface, which will slow them down, force them to make mistakes, expend additional resources and negatively impact the economics of their attack.

For companies conducting security assessments, deception technology plays an important role in detecting the attacker early and recording the attack activity.  These capabilities make deception technology one of the most effective methods to deal with ransomware. It is particularly adept at detecting intruders attempting to move laterally within the network -- even if intruders use authentic credentials.

Implementation

Deception technology is available as a full deception fabric or platform, as features within a broader platform and as independent solutions. Advanced deception platforms use machine learning for fast and accurate deployment and operations without disrupting other network functions. Native platform integrations with existing security infrastructure can provide seamless attack information sharing and facilitate automation. Benefits include automated blocking, isolation, threat hunting, repeatable playbooks that accelerate incident response and integration with SOAR solutions.

The most advanced deception platforms will also provide concealment technology, which hides and denies access to data. Instead of interweaving deceptive assets among production assets, the technology can hide real assets from an attacker's view. It can also return fake data to the attacker to disrupt and derail further attacks. Coverage includes AD objects, credentials, files, folders and removable drives, as well as network and cloud shares. This function serves as a powerful ransomware deterrent because attackers can’t find and takeover domain control or encrypt or steal data on drives they can’t access.

Benefits

Cyber deception complements existing security controls by detecting discovery, lateral movement, privilege escalation and collection activities that other tools are not designed to address. The technology is highly scalable, which allows it to protect an ever-evolving attack surface.

Many of the attack activities that deception provides visibility to are traditionally challenging to detect.  These include lateral movement, credential theft and reuse, internal threat reconnaissance, man-in-the-middle (MiTM) activities, and attacks on directory services such as Lightweight Directory Access Protocol (LDAP) or AD.

The ability to deceive, direct, and guide the adversary away from critical assets denies them their goals and reveals how they want to move through the networks. It also holds the benefit of increasing the attacker’s cost, because they must now decipher what is real from what is fake and forces them to restart their attacks.

This was last updated in January 2021

Continue Reading About deception technology

SearchCompliance
  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

  • information governance

    Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and ...

  • enterprise document management (EDM)

    Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be...

SearchSecurity
  • Extensible Authentication Protocol (EAP)

    The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by ...

  • session key

    A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session ...

  • data breach

    A data breach is a cyber attack in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed ...

SearchHealthIT
SearchDisasterRecovery
  • risk mitigation

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • call tree

    A call tree is a layered hierarchical communication model that is used to notify specific individuals of an event and coordinate ...

  • Disaster Recovery as a Service (DRaaS)

    Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers by a third party to provide ...

SearchStorage
  • cloud storage

    Cloud storage is a service model in which data is transmitted and stored on remote storage systems, where it is maintained, ...

  • cloud testing

    Cloud testing is the process of using the cloud computing resources of a third-party service provider to test software ...

  • storage virtualization

    Storage virtualization is the pooling of physical storage from multiple storage devices into what appears to be a single storage ...

Close