Deception turns the tables on attackers. Unlike signature-based detection, which is highly accurate but threat-specific or behaviors/heuristics that are broadly applicable but often produce false positives, deception technologies deliver high-fidelity alerts with detailed indicators of compromise.
Deception technology enables organizations to detect the entire attack kill chain from reconnaissance to exploitation, lateral movement, and data loss. It eliminates the noise of false positives and alert fatigue that plague many security tools.
Reduces False Positives
Deception technology entices cyber attackers into engaging with fake applications and assets. This interaction generates alerts that help security teams identify and respond to threats in their early stages before a breach occurs. This helps reduce the risk of a data breach, gathers threat intelligence on attacker tactics and techniques (TTPs), and accelerates the speed at which they detect attacks.
False positives can leave IT security experts exhausted and unable to focus on real alerts that must be addressed. It also increases the likelihood that attackers bypass warnings and continue their attacks. Deception offers a scalable and easy-to-use deception as a service solution that eliminates false positives and allows for better use of limited resources.
The best deception solutions provide the middle ground between signature-based detection, which is highly accurate but very threat-specific (like recognizing a submarine’s propeller), and behavior/heuristic-based detection, which has broad coverage but can yield many false positives (such as seeing a radar contact as either a submarine or a shoal of fish). Deception offers both; high accuracy with the right level of broad coverage.
Once an adversary is duped into interacting with the fake assets in your network, they will be forced to work harder to reach their targets on the legitimate systems and to take risks that will likely lead to their downfall. This significantly reduces their dwell time on your network.
Increases the Effectiveness of Detection
As attackers get smarter, defenders need to get better. Deception is a powerful way to do that.
The most common deception technology solutions are based on decoys (fake systems, networks, or data) and breadcrumbs that lure attackers and trigger alerts when an attack happens. This can be at the low end of the spectrum with signature-based detection that’s highly accurate but very threat-specific (like a submarine’s propeller) or the other extreme in behaviors/heuristics with broad threat coverage and more prone to false positives (like detecting radar contact that may be a submarine or a shoal of fish).
Modern deception solutions also conceal the real stuff attackers want — files, folders, data, credentials, mapped drives, removable storage devices, and even the network itself. Detection of these assets indicates that an attack is underway and can trigger alerts from other security controls.
These deception assets can be deployed at the perimeter, on endpoints, in Active Directory, and the network itself and offer coverage of often-neglected blindspots. By reducing the number of false positives and the time it takes to detect an adversary, deception can significantly minimize attacker dwell time and allow defenses to stop attacks before they become catastrophic. Deception augmentation technology can also enhance the detection of the human element by targeting an attacker’s goals and providing richer context about what they’re up to.
Reduces Dwell Time on the Network
The longer cybercriminals dwell in your network, the more likely they will steal sensitive information or pull off a financial heist. Deception technologies shorten attack dwell time by identifying and catching attacks at the most vulnerable stages.
This is because deception identifies attackers by intent, not by their known signatures. By creating decoy systems, files, and applications enticing an attacker — but that no legitimate user would ever need or want to access – deception technology detects anomalous attack behavior. It can then pinpoint the proverbial needle in the haystack by tracing back from the decoy asset to the attacking attacker, providing the intelligence needed to take the appropriate next step (often remediation).
Unlike many security tools that produce numerous low-confidence alerts that waste time for SOC teams, deception deployments generate only high-confidence signals. This allows SOC teams to prioritize and fine-tune correlation and alerting in their SIEM, reducing the time they need to validate each alert. Moreover, since deception technology does not trigger false positives, it frees up personal hours that can be spent on other important security functions like threat hunting and automated response. This significantly reduces your Mean Time to Know (MTTK). In some cases, we’ve seen MTTK fall into single-digit minutes.
Cyber attackers attempt to gain unauthorized access to networks, systems, and software and move laterally within the enterprise. Often, this is done undetected. Deception technology mimics the environment, enticing attackers to interact and giving security teams time to detect attacks and gain insight into their tactics and techniques (TTPs).
Unlike traditional anomaly detection and intrusion detection/prevention systems, which use signatures or susceptible machine learning algorithms to trigger network events, deception technologies are designed to lure and misdirect attackers. This allows for generating high-fidelity alerts packed with meaningful data without risk to the network or other assets. The signs can be prioritized, and the correlation and threat intelligence can be refined at the SOC to reduce false positives and dead ends.
In a game of odds, the defender must be right 100% of the time, and the attacker only has to be right once. When the adversary interacts with deception assets, an alert is triggered, and the attack is thwarted. Depending on the deception platform, these deceptive assets include lures on endpoints, breadcrumbs in the network layer, and baits in stored data. These can identify reconnaissance, lateral movement, and other common attack paths. Reducing the response gap means that threats can be detected and stopped more quickly, saving critical information and mitigating a business disruption.