Deception technology (also deception and disruption technology) is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate,[1] and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.
Deception technology considers the point of view of human attackers and method for exploiting and navigating networks to identify and exfiltrate data. It integrates with existing technologies to provide new visibility into the internal networks, share high probability alerts and threat intelligence with the existing infrastructure.
Deception technology automates the creation of traps (decoys) and lures, which are strategically integrated among existing IT resources. These decoys provide an additional layer of protection to thwart attackers who have breached the network. Traps can be IT assets that utilize genuine licensed operating system software or emulate various devices, such as medical devices, automated teller machines (ATMs), retail point-of-sale systems, switches, routers, and more. On the other hand, lures typically consist of real information technology resources, such as files of different types, that are placed on actual IT assets. Due to advancement in the area of cybersecurity, deception technology programs are increasingly proactive in approach and produce fewer false-positive alerts. The goal is to accurately discover the intention of the attacker and their tactics, technique and procedure. These information will enable effective response from the deception technology platforms.[2]
Upon penetrating the network, attackers seek to establish a backdoor and then use this to identify and exfiltrate data and intellectual property. They begin moving laterally through the internal VLANs and almost immediately will "encounter" one of the traps. Interacting with one of these "decoys" will trigger an alert. These alerts have very high probability and almost always coincide to an ongoing attack. The deception is designed to lure the attacker in – the attacker may consider this a worthy asset and continue by injecting malware. Deception technology generally allows for automated static and dynamic analysis of this injected malware and provides these reports through automation to the security operations personnel. Deception technology may also identify, through indicators of compromise (IOC), suspect end-points that are part of the compromise cycle. Automation also allows for an automated memory analysis of the suspect endpoints, and then automatically isolating the suspect endpoints.
Internet of things (IoT) devices are not usually scanned by legacy defense in depth and remain prime targets for attackers within the network. Deception technology can identify attackers moving laterally into the network within these devices.
Integrated turnkey devices that utilize embedded operating systems but do not allow these operating systems to be scanned or closely protected by embedded end-point or intrusion detection software are also well protected by a deception technology deployment in the same network. Examples include process control systems (SCADA) used in many manufacturing applications on a global basis. Deception technology has been associated with the discovery of Zombie Zero,[3] an attack vector. Deception technology identified this attacker utilizing malware embedded in barcode readers which were manufactured overseas.
Medical devices are particular vulnerable to cyber-attacks within the healthcare networks. As FDA-certified devices, they are in closed systems and not accessible to standard cyber defense software. Deception technology can surround and protect these devices and identify attackers using backdoor placement and data exfiltration. Recent documented cyber attacks on medical devices include x-ray machines, CT scanners, MRI scanners, blood gas analyzers, PACS systems and many more. Networks utilizing these devices can be protected by deception technology. This attack vector, called medical device hijack or medjack, is estimated to have penetrated many hospitals worldwide.[4]
Specialized deception technology products are now capable of addressing the rise in ransomware by deceiving ransomware into engaging in an attack on a decoy resource, while isolating the infection points and alerting the cyber defense software team.[5]
Honeypots were perhaps the first very simple form of deception. A honeypot appeared simply as an unprotected information technology resource and presented itself in an attractive way to a prospective attacker already within the network. However, most early honeypots exhibit challenges with functionality, integrity and overall efficacy in meeting these goals. A key difficulty was lack of automation that enabled broad scale deployment; a deployment strategy that aimed to cover an enterprise where up to tens of thousands of VLANS needed to be protected would not be economically efficient using manual processes and manual configuration.
The gap between legacy honeypots and modern deception technology has diminished over time and will continue to do so. Modern honeypots constitute the low end of the deception technology space today.
See also: Alarm fatigue. Traditional cyber defense technologies such as firewalls and endpoint security seek primarily to defend a perimeter, but they cannot do so with 100% certainty. Heuristics may find an attacker within the network, but often generate so many alerts that critical alerts are missed. In a large enterprise, the alert volume may reach millions of alerts per day. Security operations personnel cannot process most of the activity easily, yet it only takes one successful penetration to compromise an entire network. This means cyber-attackers can penetrate these networks and move unimpeded for months, stealing data and intellectual property.
Deception technology produces alerts that are the end product of a binary process. Probability is essentially reduced to two values: 0% and 100%. Any party that seeks to identify, ping, enter, view any trap or utilizes a lure is immediately identified as malicious by this behavior because anyone touching these traps or lures should not be doing so. This certainty is an advantage over the many extraneous alerts generated by heuristics and probability-based.
Best practice shows that deception technology is not a stand-alone strategy. Deception technology is an additional compatible layer to the existing defense-in-depth cyber defense. Partner integrations make it most useful. The goal is to add protection for the most advanced and sophisticated human attackers that will successfully penetrate the perimeter.