Deception is not something you’d find only in novels or a period drama; When you hear the term deception, you wouldn’t immediately think of it as something positive. Instead, your first thought is likely negative.
The art of deception can be applied in IT security as a form of defence, which involves deliberately misdirecting threat actors and gathering their information to make the security posture of an organization more robust and resilient.
Ensuring that security is at the forefront, IT prevention methods include tools such as deception technologies to defend against malicious threats and actors.
In this article, we’ll discuss what deception in IT security is all about and the many tools used in defence.
TL; DR:
Deception technology is a security method used by organizations to lure and mislead threat actors, protecting infrastructure and assets. Deception tools detect intrusion and help security teams gather information about attackers' techniques and intent. They enable organizations to control situations if an attacker gains access, and use the intelligence gathered to strengthen the overall security posture.
What are Deception Tools for IT Security
Deception tools are software or technologies used to detect cyber-attacks or to carry out cyber deception. Before we discuss the different types of deception tools, let's explore cyber deception.
What is Cyber deception?
Cyber deception, also referred to as deception technology, is a security strategy in which security teams use deception to mislead or lure attackers into a trap, thereby gaining information about the attacker's strategy and techniques. This diversion prevents attackers from gaining access to valuable assets; instead, they are led to a controlled environment where they can be monitored and investigated.
In a deception strategy, security teams use different methods, such as a layered approach, when preparing for an attack. The idea is that every security personnel or team is aware that attacks will surely come, so it becomes a waiting game, commonly referred to as a cat-and-mouse game.
In this game, the attacker determines the time of the attack; in other words, security teams have no idea when such attacks will happen, but they, as the defenders, get to pick or create the environment for the attack. When the attacker breaks in, the team is prepared to detect them early or slow them down before any major disruptive consequence occurs.
The approach simply involves;
Predicting the Attack
Diverting the attacker
Containing the attacker in a controlled environment
Study the attacker's behaviour and techniques
Prepare a counterattack, if necessary, to disrupt and waste the attacker's time and resources.
There are different types of cyber detection techniques used to lure attackers into a controlled environment, such as;
Decoys: Decoys involve the use of fake servers, assets, credentials, or networks that look real to trick attackers into a controlled environment where they are contained and addressed.
Canaries: This type of decoy is named after the popular canary bird known for its song. It is a silent alarm that alerts security personnel when an attacker interacts with it.
Breadcrumbs: This is a type of lure and its technique involves placing small pieces of fake information on real assets to divert attackers from real assets and lead them towards decoys or traps.
Honey Tokens: These are fake records inserted into databases or file systems to detect malicious activity. This could be a fake email, and if anyone can send an email from that email address, it indicates that the system is compromised.
Honeypots: They involve actual systems placed on a network to attract attackers, making them think that they have gained access to a sensitive system.
The honeypot may contain files that are actually sensitive; however, they are monitored carefully so that when the attacker gains access, the administrators are alerted and may also trigger an immediate security response.
Honey Nets/Honey Files: Honey Nets involve deploying large amounts of honeypots on a network. Honey files mimic sensitive data but contain misinformation.
DNS Sink Holes: DNS sinkholes involve feeding DNS servers with false information so that malware traffic is rerouted to a controlled server preventing infected devices from communicating with command-and-control servers and stopping users’ system from carrying out botnet instructions.
Deception technology is a proactive security measure that can be used for:
Threat detection and incident response
Insider threat mitigation
Ransomware defence
Credential theft prevention
Zero-day exploitation
Active threat intelligence and forensics











