sb-nz logo
Story image

Five ways cyber deception can help boost IT security

10 Feb 2020

Article by Attivo Networks regional director A/NZ, Jim Cook.

With organisations constantly on the hunt for ways to improve the security of their IT infrastructures, they are affording growing attention to a technique dubbed ‘cyber deception’.

Cyber deception involves confusing and redirecting a criminal’s actions, causing them to make mistakes and reduce the success of their attack. It’s achieved by placing several decoys, credential lures, and other bait throughout an organisation’s network and then monitoring what occurs.

The technique can do much to augment other security measures, providing another layer of protection that makes it even more difficult for cybercriminals to succeed. The five key ways in which cyber deception can assist an organisation are:

1.    Pre-execution protection:
Cyber deception makes use of machine learning techniques to analyse an organisation’s network and create deceptions that mirror-match the environment. This process enables the visibility into unauthorised adds and changes that could introduce risk to the environment.

Cyber deception also maps existing stored or orphaned credentials and identifies them for cleaning and removal. It can also provide insights into suspected lateral movement attack paths, which are a favourite avenue exploited by cybercriminals to move around within an infrastructure.

Also, recent innovations in deception technology protect Microsoft’s Active Directory with the ability to detect unauthorised queries and return false data without touching the production environment. The deception misdirects attackers to a decoy, creating difficulty for them when it comes to differentiating real results from fakes.

2.    Stopping an attack:
Traditionally, security detection tools have tended to activate only when an attack is already well underway. Deception-based detection is much more proactive and designed to detect criminal activity far earlier, typically raising a flag when an attacker looks to move from an initially infected system.

Cyber deception detects and disrupts attacks early, regardless of the attack vector attackers use.  A full deception framework will assist an organisation in protecting everything from networks and cloud platforms to data centres, remote offices, and even Internet-of-Things (IoT) environments.

3.    Removal and remediation:

By using cyber deception techniques, IT teams can gain accurate alerts that are substantiated by the deception environment’s attack analysis and forensics. The ability to gather real-time intelligence is a unique benefit of deception and is extremely valuable for gaining the upper hand against criminals.

Advanced deception platforms can also automatically remediate exposed credentials on endpoints attached to the network. In many Red / Blue security assessments where the organisation leveraged deception, Blue Teams have detected intrusions in less than an hour, and in some cases, achieved containment in under 30 minutes and fully restored services within another 30 minutes.

4.    Making use of threat intelligence:

Cyber deception goes well beyond traditional security alerts by gathering adversary intelligence so that defenders can quickly understand an attack and fortify their defenses against it.

Techniques include planting decoy documents and fake credentials that allow IT teams to gather adversary intelligence related to an attacker’s intent. This knowledge can be vital to understanding what type of information the attackers are after and how they are gaining access to the IT infrastructure.

5.    Post-attack investigation:

To assist with post-incident evaluation, and future planning and response, cyber deception techniques can record all attack activity and provide irrefutable proof of unauthorised access or policy violations.

This in-depth information can be extremely useful in demonstrating security resiliency, ongoing security control functionality, and security controls related to insiders and suppliers. It can aid an IT team and ensure it is much better prepared to withstand any future attacks.

Prevention v proactivity
Traditionally, cybersecurity efforts have tended to focus on preventative techniques. However, when you considering the growing numbers of breaches that continue to occur each year, this approach is no longer sufficient.

Instead, organisations should add proactive techniques such as cyber deception to the security mix. They will then be in a better position to detect and derail threats much earlier so that criminals cannot establish a foothold or complete their planned attack.

Taking the time now to examine cyber deception options and make them a part of your security architecture will better prepare you for any threats as they arise in the future.