sb-nz logo
Story image

Six benefits of initiating a deception strategy for IT security teams

14 May 2020

Article by Attivo Networks A/NZ regional director Jim Cook.

Faced with an ever-increasing range of sophisticated cyber threats and evolving attack surfaces, IT security teams are adopting a new line of defense: deception. They recognise that, despite there being a range of security tools and services in place, cybercriminals are still managing to bypass them and gain entry to infrastructures. Clearly, a new approach is required. That new approach is based on cyber deception. 

Deception puts increased power into the hands of security teams by comprehensively protecting against attacks from both external parties and malicious insiders, accurately notifying that something is wrong, and by delivering detailed threat intelligence for prompt remediation.

Advanced teams can go so far as misdirecting attacker actions and altering feeds to attackers automated tools in order to confuse the adversary and the derail attack.

A deception strategy involves deploying decoys, lures, and bait such as fakes systems, applications, file stores, and credentials within a corporate IT infrastructure that actually have nothing to do with day-to-day activity but appear as if they do.

Because staff have no reason to access these resources, any time there is engagement, it is highly likely that the activity is a cyberattack or at a minimum a policy violation that needs investigation.

Different approaches

A deception strategy can be used in two different ways. Some organisations prefer to simply be alerted of an intrusion so they can quickly take steps to plug the security hole and restore operations. Others may want to take a different approach and use deception security for adversary management.

Once an intrusion is detected, they can observe how the intruder is moving around within the infrastructure and what resources they appear to be targeting. They can then examine details such as what registry keys might be changed, and which specific files are accessed and by which tools.

Data gleaned in this way can be fed back into existing tools to hunt within the network for other like infections and to continually improve effectiveness in the future.

A deception strategy is also a highly effective way to detect insider threats. Any staff accessing deceptive elements is an indication that the person is roaming in parts of the network where they have no authority.
 
A properly instigated deception strategy, therefore, delivers six key benefits for organisations. It will:

  1. Reduce the time taken to detect attacks as a flag is raised as soon as the deception assets are accessed. This gives security teams time to respond to what is going on before damage or loss occurs. This can be critical for ransomware attacks seeking to encrypt or erase shared drives.
     
  2. Trick attackers into revealing their presence within a network. As soon as they begin to move laterally and encounter any deception assets, their presence will be known. This serves as an ideal safety net for when conventional protection tools have missed the intrusion.
     
  3. Generate only high-quality, actionable alerts. IT teams can be confident that deception alerts have been triggered by a substantiated event and give them priority attention.
     
  4. Remove reliance on signature-based security techniques, allowing teams to catch even zero-day exploits before they can cause damage.
     
  5. Capture information about the type and nature of an attack that is taking place, enabling other defences to be strengthened.
     
  6. Deliver a threat intelligence dashboard that gives security teams a clear, real-time view of exactly what is occurring within their network. Integrations can also provide automation for quickly isolating the attack and blocking further action.

The constant evolution of the cyberthreat landscape shows no sign of slowing. Techniques that worked well in the past may not continue to deliver required levels of protection in the future.

A deception strategy provides businesses with another layer of protection and the ability to rapidly respond to attacks as soon as they occur. As a result, production systems and sensitive data stores can be secured against unauthorised access, reducing the likelihood of disruption and loss.

Taking the time now to put a deception-based strategy in place will reduce overall risk and safeguard against both current threats and those that are just around the corner.

Story image
Distributed workforces pose new challenges for information management
“Collaboration can be stymied, mistakes can be made, and organisations can suffer data breaches if they don’t immediately address the issue of how employees are accessing and sharing information while working remotely.”More
Story image
Video: 10 Minute IT JamsAttivo Networks on threat detection using deception
Attivo Networks is a US-based technology vendor in the cybersecurity space. The company focuses on threat detection and deception.More
Story image
Three-in-one cloud security can ease business through difficult times
By leveraging a comprehensive security platform, organisations can block threats and prevent leakage for all interaction between endpoints, devices and apps, writes Bitglass product marketing manager Juan Lugo. More
Story image
10 billion records sit in unsecured databases - China leads the pack
A white hat hacker hacker uncovered a total of 9517 unsecured databases worldwide, collectively containing more than 10 billion entries.More
Story image
Network intelligence is stopping a wave of DDoS misdiagnosis
Security teams already know the value of a layered defence; it’s time to add more layers, writes ThousandEyes principal solutions analyst Mike Hicks.More
Link image
Nine developer enablement practices to achieve DevOps at enterprise scale
Senior software engineering leader with experience at multiple Fortune 500 companies shares how a metrics-driven mindset can dramatically improve software quality and enable DevOps at enterprise scale.More