Hacking is often like rummaging through a bag without looking inside. If it’s your bag, you would know where to look and what the objects feel like. You can reach in and grab a pen in seconds, while another person may grab an eyeliner.
What’s more, they may cause a ruckus in their search. They will rifle through the bag longer than you would, and the noise they make increases the chance that you’ll hear them. If you didn’t, the disorder in your bag tells you someone has been through your stuff. Deception technology works in this way.
What Is Deception Technology?
Deception technology refers to the suite of tactics, tools, and decoy assets that blue teams use to distract attackers from valuable security assets. At a glance, the location and properties of the decoy look legitimate. Indeed, the decoy must be attractive enough for an attacker to consider it valuable enough to interact with in the first place.
An attacker’s interaction with decoys in a security environment generates data that give defenders insight into the human element behind an attack. The interaction can help defenders find out what an attacker wants and how they plan to get it.
Why Blue Teams Use Deception Technology
No technology is invincible, hence why security teams assume a breach by default. Much of cybersecurity is a matter of finding out what assets or user has been compromised and how to recover them. To do this, blue team operators must know the extent of the security environment they protect and the assets in that environment. Deception technology is one such protective measure.
Remember, the point of deception technology is to get attackers to interact with decoys and distract them from valuable assets. Why? Everything boils down to time. Time is valuable in cybersecurity, and neither attacker nor defender ever has enough. Interacting with a decoy wastes an attacker’s time and gives the defender more time to respond to a threat.
More specifically, if an attacker thinks the decoy asset they interacted with is the real deal, then there’s no point staying out in the open. They exfiltrate the stolen data and (usually) leave. On the other hand, if a savvy attacker quickly realizes the asset is fake, then they would know they’ve been found out and can’t stay long on the network. Either way, the attacker loses time, and the security team gets a heads-up and more time to respond to threats.
How Deception Technology Works
Much of deception technology is automated. The decoy asset is usually data of some value to hackers: databases, credentials, servers, and files. These assets look and function just like the real ones, sometimes even working alongside real assets.
The main difference is that they are duds. For example, decoy databases may contain fake administrative usernames and passwords linked to a decoy server. This means activities involving a pair of username and password on a decoy server—or even a real server—get blocked. Similarly, decoy credentials contain fake tokens, hashes, or Kerberos tickets that redirect the hacker to, basically, a sandbox.
Furthermore, duds are rigged to alert security teams to the suspect. When an attacker logs on to a decoy server, for example, the activity warns blue team operators at the security operations center (SOC). In the meantime, the system continues to record the attacker’s activities, such as what files they accessed (e.g., in credentials stealing attacks) and how they executed the attack (e.g., lateral movement and man-in-the-middle attacks).
In the Morning Glad I See; My Foe Outstretched Beneath the Tree
A well-configured deception system can minimize the damage attackers can wreak on your security assets or even stop them outright. And because much of it is automated, you don’t have to water and sun that tree day and night. You can deploy it and direct SOC resources to security measures that require a more hands-on approach.