Attacking the Attackers: How Deception Technology Gives Cybersecurity Pros the Upper Hand

Conventional wisdom suggests hackers have the upper hand in the war for cyber-supremacy, but deception technology has the potential to tip the odds in cybersecurity professionals’ favor.

“All warfare is based on deception,” writes Sun Tzu in the opening chapter of his famed military treatise, The Art of War. “Hold out baits to entice the enemy, feign disorder, and crush him.”

In many ways, this axiom is as applicable to cyberwarfare as to traditional warfare. From phishing attacks to IP address spoofing, cybercriminals have had an impressive arsenal of deception-based attack techniques at their disposal for years. Generally speaking, enterprise cybersecurity professionals haven’t enjoyed the same luxury. Thankfully, that is finally starting to change.

While “honeypots” — passive, static imitation files, databases, and/or servers set up outside an enterprise network to ensnare hackers as they search for the network’s weak spots — have been around for some time, their operational intensiveness and limited scalability have prevented them from entering the enterprise cybersecurity mainstream in earnest.

That said, the underlying principle of honeypotting — namely, tricking cybercriminals into attacking fake and/or sandboxed assets — is sound, and in recent years, forward-thinking cybersecurity professionals have started using it as the foundation of deception-based techniques of their own. In doing so, they’ve managed to flip the script on their foes, seizing the upper hand in the war for cyber-supremacy.

A Window into Cybercriminals’ Plans of Attack

Unlike traditional honeypotting, distributed deception platforms (DDPs) deploy fake assets within multiple layers of an enterprise’s IT infrastructure. From fake operating systems to fake drive maps to fake credentials on real end-user systems, DDPs allow cybersecurity teams to “hide” their authentic high-value assets amidst a host of valueless decoys.

In addition to setting up decoys at the network and application layers, DDPs also append “lures” to network endpoints that function like supercharged honeypots. Beyond serving as a trap for anyone trying to prod a network’s edge, lures actively draw in hackers by laying “breadcrumbs” — fragments of falsified data that appear to be of value — that are only visible in backdoor tools or command line interfaces.

Because these lures are invisible to the authorized network user — and, critically, isolated from authentic network components — they dramatically reduce the number of false-positive alerts with which cybersecurity professionals must contend. “I’ve sat in front of a SIEM [security information and event management system] with 5,000 alerts an hour, and I’ve had to triage that. That’s an overwhelming dataset,” explains Gartner analyst and deception tech thought leader Lawrence Pingree. “In a deception system, the alerts you get are very minimal, and any alert you get says that something is awry. It’s an almost zero false-positive solution.”

When a cybersecurity team is notified that a potentially malicious actor has breached one of its fake assets, it has two options. One, it can decommission the asset, forcing the would-be attacker to restart their search for a way into the network. While this serves to nip the intrusion in the bud, it undercuts the primary value-add of deception technology: information.

The team’s second option involves letting their adversary continue with their attack unimpeded. Skilled cybercriminals tend to be patient, and they’re unlikely to lay all their cards on the table the moment they gain access to an enterprise’s (fake) assets. In fact, some estimates place cybercriminals’ average “dwell time” — the amount of time they stay in a network once they’ve breached it — at over 200 days.

By shutting down an attack immediately, an enterprise wastes an incredible opportunity to observe their adversary’s behavior and, ideally, learn from it. Since DDP assets exist in sandboxes, letting a cybercriminal go about their business presents quite literally no risk to an enterprise’s authentic IT assets. Further, it enables cybersecurity professionals to closely observe the attacker’s preferred tools and tricks and gather invaluable forensic data — data that is an essential input in proactive cybersecurity approaches like threat hunting and active adversary pursuit.

Learning to Wield Deception Technology Effectively

Of course, as Forrester analyst Josh Zelonis cautions, “The important thing to understand is that deception technology is really good at telling you something bad is going on — and that’s it.”

DDPs aren’t designed to detect hackers who’ve already infiltrated a network, nor are they equipped to analyze — much less act on — the forensic data they generate. In short, while deception technology has the potential to be a genuine game-changer, it hasn’t lessened the need for highly-skilled cybersecurity professionals who are capable of formulating actionable insights from a enterprise’s forensic data.

At Turn-key Technologies (TTI), we have nearly three decades of experience designing and deploying networks that are as high-performing as they are secure. Our award-winning technicians can help an enterprise maximize the returns on its deception technology by transforming raw forensic data into clear, concrete defensive action.

Research and Markets predicts the global deception tech market will surpass $2.1 billion by the end of 2021, suggesting that deception-based cyberdefense is anything but a passing phase. As this approach continues to proliferate, partnering with a cybersecurity expert like TTI will be the best way for enterprises to heed Sun Tzu’s advice to “hold out baits to entice the enemy, feign disorder, and crush him.”

By Craig Badrick


Sign up for the TTI Newsletter