7 reasons to start using deception technology

cheating man woman

Hacker attacks are often based on social engineering. Attackers send phishing emails, create fake websites and apps. Its aim is to force the victim to click on a malicious link, open a virus file or provide sensitive data. Simply put, cyber criminals try to trick their victims. The technology of deception adopts the same principle. It is meant to fool hackers. And he does it very successfully. Gartner analysts placed the deception approach on their radar of the most promising security technologies. Deception technology is easy to implement and effective at detecting and preventing various threats targeting organizations of all sizes. If you’re wondering if your business needs to employ deceptive technology, here are seven reasons to try this defensive practice.

0 day vulnerability protection

0 days are vulnerabilities discovered in the course of their exploitation. They are extremely dangerous since for some time (sometimes terribly long) they remain unknown to most means of protection. Deception is an effective technology for 0-day protection that acts as an additional layer of protection.

When an intruder breaks into a workplace or server using an unknown vulnerability, their task is to move through the network, gain access to all machines, and discover where critical data and backups are stored. Deception consists of traps and lures. Traps can mimic servers, computers, workplaces within the network, and decoys can mimic data to access these traps. Deception technology helps detect attackers as soon as they are trapped and continues to entangle them in fake infrastructure while analyzing attacker techniques and tools. This data can be collected and used as indicators of compromise to protect other network segments where a similar intrusion attempt may occur.

Since information about the source of the attack is also available, it is possible to lock hackers both in the trap itself and in the machine they used to break into the system.

Since attackers exploiting zero-day vulnerabilities often use completely legitimate tools, other security systems can miss the attack. For example, it could be a standard RDP connection to a remote server. From an antivirus or EDR point of view, nothing illegal is happening. But if the connection to the trap occurred, it means that neither the antivirus nor the EDR detected the malware or malicious activity.

Therefore, deception technology plays the role of an additional layer of protection within the organization’s network. From the point of view of a problem as dangerous as the exploitation of zero-day vulnerabilities, deception technology may, in fact, be the only solution to detect intruders.

Barrier against ransomware and data breaches

Cyber ​​extortionists aim to gain access to attacked infrastructure, steal or encrypt important data, and demand ransom. Therefore, it is crucial to detect such intruders as early as possible when they carry out the early stages of the attack: perform reconnaissance, survey the infrastructure, and determine data storage locations. Deception could be effective in terms of early detection of intruders within the network if they were able to bypass other protections.

See also  How technology can drive economic development, the SDGs, by experts | The Guardian Nigerian News

Furthermore, malicious insiders are yet another source of threats. These are bribed, resigned or offended employees. They can launch externally controlled malware within the infrastructure using their legitimate access rights. Deception technology can play an essential role in combating such attacks. Traps placed within the network help lure the attacker into a decoy infrastructure. In addition, the traps are made in such a way that they are as similar as possible to real devices or servers, and the attacker cannot immediately understand where he is.

Also, it can create various kinds of fake data like disk images etc., which the ransomware authors will try to copy and send to their servers. This data may contain specific signals that will help track intruders. These signs can be helpful when investigating an incident. In this case, a particular vendor can be associated with the incident, specific data, and specific trap.

IoT \ SCADA Protection

You can cheat not only with common IT infrastructure objects such as workplaces, servers, or office equipment, but also create copies and analogs of Internet of Things and/or SCADA objects. Traps can be designed to mimic controllers, sensors, control systems, cameras, etc. On the other hand, it is worth mentioning the importance of using deception technology with medical equipment where the earliest possible detection of any attack can save the lives of patients.

Information security incident investigation

Two main types of cheats are commonly used, light and interactive. Light traps do not require significant resources to operate, but are fully compatible with the network protocols of the equipment they mimic. Its purpose is to record an intrusion attempt. These lightweight traps can be rapidly and massively deployed on real infrastructure.

The second type is represented by interactive cheats, which are complete operating systems with different programs installed. If a malicious program gains access to an interactive trap, the system collects detailed information about its behavior, including the penetration method used, the running processes and their parameters, the nature of the data collected and uploaded from the outside, and the tools used. . All data is automatically copied for investigation to other security systems, such as sandboxes. Thus, comprehensive information about penetration techniques and tactics is collected, as well as various indicators of compromise, such as hash sums of downloaded files, used commands, etc.

Machine learning and artificial intelligence

Machine learning allows you to save the information security team from unnecessary efforts when applying deception methods. It is used to generate traps to make them look realistic. At the same time, they are neither complete copies of each other nor real hosts. Machine learning allows it to analyze accurate data on the network and generate fake data for decoys, reducing the amount of work for security specialists.

See also  City of Detroit Fights Gun Violence with Evolv Technology | National Businesses

Machine learning also helps shape the realistic behavior of each trap by analyzing network performance and simulating real traffic.

Easy integration with other systems and another step towards automation

The most popular option in terms of automation is when the deception gives a signal to crash the processes or workstation from which the attack is launched.

In addition, deception technology can automatically pass collected indicators of compromise to other security systems to decide whether to block other hosts when these indicators are detected. Deception naturally integrates with SIEM and SOAR systems. Deception can also integrate with various firewalls, including NGFW.

Opportunity to launch a pilot project

Cheating tools, like many other security products, can be implemented in the customer’s infrastructure to demonstrate their applicability. However, it is worth noting that deception usually does not actively manifest itself, but waits for an attack and prepares to lure intruders. Therefore, during the pilot project, the provider must demonstrate not only the deployment of deception elements within the infrastructure, but also launch a set of false attacks that can potentially be carried out from both outside and inside the infrastructure. client infrastructure.

There is a specific set of demo stages that must be approved by the customer, within which the deception system is shown to work during fake attacks. Interesting cases sometimes arise when a customer sees that other security systems already installed and used do not react to attacks in any way.

conclusion

Cheating is a relatively new technology. Most solutions of this class appeared on the market not so long ago; however, they are gradually gaining popularity. Cheating technology is not a substitute for standard and generally accepted information security systems. It complements protection systems, allowing you to detect attacks that have missed all other means.

The technology of deception is very flexible. Thanks to its easy integration with other information security tools, it provides a wide range of attack detection capabilities. With deception technology, you can incorporate various mechanisms to inventory network assets, respond to incidents, and more. The effectiveness of deception systems depends on how they are designed and configured. If everything is done correctly, the attacker will not guess that he is facing a false target. And even if he guesses, it will be too late.

image credit: alphaspirit/depositphotos.com

Alex Vakulov is a cybersecurity researcher with more than 20 years of malware analysis experience. Alex has strong malware removal skills. He writes for numerous tech-related publications and shares his security expertise.

Leave a Comment