Deception Tools for IT Security

Deception is not something you’d find only in novels or a period drama; When you hear the term deception, you wouldn’t immediately think of it as something positive. Instead, your first thought is likely negative.

The art of deception can be applied in IT security as a form of defence, which involves deliberately misdirecting threat actors and gathering their information to make the security posture of an organization more robust and resilient.

Ensuring that security is at the forefront, IT prevention methods include tools such as deception technologies to defend against malicious threats and actors.

In this article, we’ll discuss what deception in IT security is all about and the many tools used in defence.

TL; DR:

Deception technology is a security method used by organizations to lure and mislead threat actors, protecting infrastructure and assets. Deception tools detect intrusion and help security teams gather information about attackers' techniques and intent. They enable organizations to control situations if an attacker gains access, and use the intelligence gathered to strengthen the overall security posture.

Deception tools are software or technologies used to detect cyber-attacks or to carry out cyber deception. Before we discuss the different types of deception tools, let's explore cyber deception.

What is Cyber deception?

Cyber deception, also referred to as deception technology, is a security strategy in which security teams use deception to mislead or lure attackers into a trap, thereby gaining information about the attacker's strategy and techniques. This diversion prevents attackers from gaining access to valuable assets; instead, they are led to a controlled environment where they can be monitored and investigated.

In a deception strategy, security teams use different methods, such as a layered approach, when preparing for an attack. The idea is that every security personnel or team is aware that attacks will surely come, so it becomes a waiting game, commonly referred to as a cat-and-mouse game.

In this game, the attacker determines the time of the attack; in other words, security teams have no idea when such attacks will happen, but they, as the defenders, get to pick or create the environment for the attack. When the attacker breaks in, the team is prepared to detect them early or slow them down before any major disruptive consequence occurs.

The approach simply involves;

• Predicting the Attack
• Diverting the attacker
• Containing the attacker in a controlled environment
• Study the attacker's behaviour and techniques
• Prepare a counterattack, if necessary, to disrupt and waste the attacker's time and resources.

There are different types of cyber detection techniques used to lure attackers into a controlled environment, such as;

Decoys: Decoys involve the use of fake servers, assets, credentials, or networks that look real to trick attackers into a controlled environment where they are contained and addressed.

Canaries: This type of decoy is named after the popular canary bird known for its song. It is a silent alarm that alerts security personnel when an attacker interacts with it.

Breadcrumbs: This is a type of lure and its technique involves placing small pieces of fake information on real assets to divert attackers from real assets and lead them towards decoys or traps.

Honey Tokens: These are fake records inserted into databases or file systems to detect malicious activity. This could be a fake email, and if anyone can send an email from that email address, it indicates that the system is compromised.

Honeypots: They involve actual systems placed on a network to attract attackers, making them think that they have gained access to a sensitive system.

The honeypot may contain files that are actually sensitive; however, they are monitored carefully so that when the attacker gains access, the administrators are alerted and may also trigger an immediate security response.

Honey Nets/Honey Files: Honey Nets involve deploying large amounts of honeypots on a network. Honey files mimic sensitive data but contain misinformation.

DNS Sink Holes: DNS sinkholes involve feeding DNS servers with false information so that malware traffic is rerouted to a controlled server preventing infected devices from communicating with command-and-control servers and stopping users’ system from carrying out botnet instructions.

Deception technology is a proactive security measure that can be used for:

• Threat detection and incident response
• Insider threat mitigation
• Ransomware defence
• Credential theft prevention
• Zero-day exploitation
• Active threat intelligence and forensics

There are several benefits of cyber deception, including:

Early Detection

By applying deceptive controls or deception tools, an attacker's dwell time can be reduced. Threat actors can be in the environment for extended periods, monitoring systems, searching for weak points, moving through systems to access critical assets, or installing a backdoor for continuous access. This is why early detection is crucial, before they attack critical systems and assets.

Threat Mitigation

Threat mitigation involves using deception to stop or reduce the harm of an attack. This could be using a technique like obfuscation to hide real assets, confusing threat actors. The idea behind cyber deception is to lure threat actors with bait, thereby preventing them from compromising or damaging real assets.

Behavioural Analysis

When threat actors are lured to a controlled environment, the security team gathers intelligence from how they interact with the fake or decoy assets. They use the collected information to understand the techniques, intent, and skill level, and use this to identify vulnerabilities within and defend systems against future attacks.

Other mentions include;

Leads to high fidelity and low false positives: If traps are laid properly, you can tell when someone is snooping.

Deployed Where Traditional Security is Not Supported: Deception technology can be deployed where EDR is not feasible or in locations where traditional security methods are not supported.

Slows down and Confuses Attackers: When you deploy deception technology, attackers may be confused if something appears to be a trap and may not be willing to investigate, so they don't get caught.

There are several disadvantages of cyber deception, including;

False Positives: False positives occur when security systems flag a legitimate activity as a threat. This may involve a user's interaction that mistakenly triggered a decoy.

Escalate Attacks: This can occur when attackers detect decoys and retreat to launch stronger and more evasive attacks.

Integration: Integrating deception technology into existing systems can be challenging and requires careful planning and implementation. For example, improper integration can cause false positives that overwhelm security analysts.

OpenCanary

OpenCanary is a daemon, and is also described as a multi-protocol network honeypot that runs canary services to help detect unauthorised activities on a network.

When a service is infiltrated or a suspicious action is detected, the honeypot triggers and sends an alert through channels such as Email, SMS, HPFeeds, or an HTTP Webhook. Opencanary was created and is actively maintained by Thinkst.

Attivo Networks

Attivo Networks is a cybersecurity company that provides real-time detection and analysis of network threats. They built deception technology to trick attackers into interacting with fake infrastructure. They were regarded as a leading provider of in-network threat deception solutions.

The company was acquired by SentinelOne for $600 million in 2022, making it a part of SentinelOne's Singularity XDR platform; however, the brand name is still widely recognised even though it no longer exists independently.

Thinkst Canary

Thinkst Canary is a security product developed by Thinkst that helps detect threats by deploying canaries, which are decoy systems that alert security teams when there's an intrusion.

TrapX Security

TrapX Security is a cybersecurity company that specializes in deception technology. Their product Deception Grid that detects intruders by deploying decoy systems that mimic real assets. When threat actors interact with these decoys, alerts are sent to security teams.

TrapX also allows security teams to study the behaviour and technique of attackers which can help them improve the security posture of a system. TrapX was acquired by Commvault in 2022 and its deception technology was integrated in Commvault’s platform.

CanaryTokens

CanaryTokens is a tool used to detect unauthorised access to sensitive data. It acts as a digital tripwire that can be applied across a network in various forms such as URLs, PDFs, DNS hostname, Word documents, and more.

When a threat actor interacts with the token, for example, visiting a URL or opening a document, security teams receive an alert. CanaryTokens is created and maintained by Thinkst Applied Research.

Things to Consider when Implementing Deception Technology

• Placement: Where you place a decoy is important.

• Realism: The decoy must fit the environment.

• Testing: Testing before deployment is important. Things to consider are the time it takes to alert and where the alert is received.

• Integration: Integrate with existing security systems.

• Updates: Regularly updating helps maintain security, fix vulnerabilities, and improve the overall security posture.

If the question is raised as to whether businesses or products can reach a point where security is no longer a concern, the answer is unlikely. Systems are built with the understanding that someone is likely to find loopholes to exploit.

There is always a way for threat actors to access systems, no matter how robust or resilient they are. Often, this is done to prove that no system is 100% secure. Additionally, some companies deliberately conduct tests to find vulnerabilities so they can be fixed before they are exploited.

Cyber deception focuses on controlling the situation when threat actors gain access or attempt to do so, and deception tools help detect threats and provide insights to safeguard organizational assets and improve overall security posture.