After playing a minor role for decades, cyber deception technology has recently gained the spotlight as a key defensive weapon in the enterprise cybersecurity arsenal.
Cyber deception is a broad term for a wide variety of techniques that trick attackers into engaging with dummy digital resources, which don’t serve authorized enterprise users. The sole purpose of these decoys — which can include servers, services, networks, files, user accounts and email accounts — is to reveal attacks in progress.
Why cyber deception technology is important
They say the best defense is a good offense, and cyber deception has the benefit of being a proactive rather than reactive strategy. It enables enterprise security teams to beat attackers at their own game.
Benefits of cyber deception technology include the following:
- Detect threats faster and decrease attacker dwell time. By deploying and constantly monitoring decoy resources, security teams can more quickly and efficiently identify attackers in their environments than would likely otherwise be possible.
- Provide reliable alerting. Since cyber deception resources don’t serve legitimate enterprise activities, anyone using them is highly likely to be an attacker — setting off credible, reliable internal alarms. Cyber deception technology produces few false positive alerts.
- Generate detailed attack data and metrics. By recording all activity involving cyber deception resources — with a level of detail that would be impossible to employ across all IT resources — security teams can gain invaluable insights into the following:
- their tactics, techniques and procedures; and
- which vulnerabilities and weaknesses they are exploiting.
And security pros can collect all this information while both pretending to be unaware of the intruders’ presence and ensuring they don’t access authentic resources, giving the organization a strategic edge.
How to deploy cyber deception technology
Organizations can deploy cyber deception technology any number of ways. Early cyber deception methods mainly involved honeypots and honeynets — fake hosts and networks, respectively. Today, however, the possibilities are endless.
Security teams can deploy deceptive websites, email accounts, data files, domain names, IP addresses and just about any other resource imaginable. Many commercial products and services support cyber deception. Security teams can also choose to create and deploy their own cyber deception technology instances.
It’s important to note that cyber deception is not just about technology; it’s also about psychology — convincing attackers that fake resources are legitimate. Cyber deception hinges on social engineering, misleading attackers into spinning their wheels while the security team collects data and mitigates targeted vulnerabilities.
Cyber deception requires frequent, ongoing maintenance. The Mitre Engage framework describes it as a process — “not a fire-and-forget technology stack.” For example, security teams need to frequently update, revise and retire deceptive resources to mirror the digital lives of their authentic counterparts. The more cyber deception technology an organization employs, the more work it takes for staff to appropriately and convincingly maintain the decoys.
How to add cyber deception technology to an existing security program
Cyber deception is generally a shared responsibility among multiple teams and job functions, including the following:
- Senior security leaders. Identify the types of resources and the logical and physical locations where cyber deception technology would be most valuable.
- Administrators. Create and maintain deception resources.
- Engineers. Implement technologies to identify when decoy resources are in use and alert security staff accordingly.
- Security operations staff and incident responders. Investigate any use of deception resources, and sound the alarm upon identifying a major new threat.
Finally, all of these stakeholders have interest in what nefarious activity the cyber deception program captures. This information can help improve the organization’s use of cyber deception technologies and techniques, as well as its overall security posture.
Cyber deception is rapidly becoming a core component of a proactive cyberdefense strategy, often complementing other proactive techniques, such as threat hunting. Today, these techniques are generally appropriate for enterprises with more mature cyber capabilities. It seems likely, however, that, in the coming years, the cybersecurity field will come to regard cyber deception and threat hunting as more fundamental functions the typical organization should employ, at least to some degree.