How organisations can adopt deception to outsmart cyber attackers

Dealing with cyberattacks on a daily basis has become the reality for businesses today. However, few organisations take a proactive response. Instead, they are left to deal with the fallout after an attack happens and the financial and reputational damage to their business has already occurred.
TechRadar spoke with Attivo Networks’ Chief Deception Officer Carolyn Crandall who suggests that businesses adopt the long established military technique of ‘deception’ to help them gain an edge over cybercriminals.
1. Deception has been long been used in the act of war: how can this now be used in the cyber security industry?
Deception has been used in war, law, sports, and gambling for millennia to create uncertainty and confusion in the adversary’s mind, which will delay and manipulate their efforts, and will influence and misdirect their perceptions and decision processes.
Military deception by definition “is intended to deter hostile actions, increase the success of friendly defensive actions, or to improve the success of any potential friendly offensive action.”
Cyber deception aligns with this definition and is based on planned, deliberate, and controlled actions designed to obfuscate the network. In turn, this influences the attacker to make a mistake, spend more time distinguishing real from fake, and makes the economics of the attack undesirable, thereby forcing the attacker to take actions that are beneficial to the defender’s security posture.
Cyber deception works by creating decoys that appear as production assets and are designed to be attractive to the adversary. This is paired with deception bait or lures that display as enticing credentials, applications, or data and will lead the attacker into engaging with the deception environment. The use of deception efficiently leads the attacker through the network, revealing motives, techniques, and intentions, which can be used for collecting adversary intelligence, generating actionable alerts, and accelerating incident response.
As with physical warfare, by using deceptive techniques, a cyber defender can mislead and/or confuse attackers, thus enhancing their defensive capabilities over time. The ability to deceive, direct, and guide the adversary away from critical assets, denies the attacker the ability to achieve his goals and reveals how he is able to move through the network. It also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over.
2. How does deception differ to the traditional honeypot?
One of my favourite questions, “Why isn’t this just a honeypot?”. It’s really like comparing a horse and buggy to a Tesla. Honeypots were originally designed for research, and a decoy was placed outside the network to determine who was attacking the organisation. It was not designed to scale and was highly inefficient to operate.
Commercial-deception technology is designed for in-network threat detection and is able to detect threats from all vectors and across all attack surfaces.
To achieve this, deception must pass 3 major hurdles. First, to be attractive and believable; second, to scale to cover all attack surfaces; and third, to be easy to operate. To be attractive and believable, deception must appear identical to the production environment, running the same operating systems and services.
Earlier honeypot technology was emulated, and it did not take an attacker long to figure out how to identify and avoid them. Comprehensive deception technology platforms support virtually unlimited scalability across everything from user networks to cloud datacenters to unique IoT or ICS deployments. It is also important to be able to plant lures on the endpoint to entice and redirect attackers into the deception environment. Honeypots lack this functionality. The last material difference is in the preparation, deployment, and operations of deception.
Machine-learning now completely automates this process in an hour versus honeypots that need to be manually set up and rebuilt after an attack. The intuitive nature of deception makes it very simple to manage whereas a honeypot required highly skilled resources. The latest approaches to deception also provide automated attack analysis, automations for incident response, as well as visibility tools for attack paths, network device changes, and attack time-lapsed replay. These features simply don’t exist in honeypots.
3. How can deception techniques enable organisations to gain the upper hand against cyber attackers?
Most traditional security controls and technologies are designed to create a boundary around computer systems and are solely focused on trying to stop illicit access attempts at the perimeter. These “walls” are constantly pummeled by automated exploitation tools and attackers will continuously conduct reconnaissance on computers or conduct phishing campaigns until they find a vulnerability to infiltrate the network unstopped and undetected.
Unfortunately, throughout the process of stopping the attack, system defenders will typically learn very little - or nothing at all - about the intruders’ targets or motivations during this process. The desire to immediately deflect an attack, sadly, also comes at a price. One that can inadvertently make the task of defending a computer system harder, but the adversary stronger after every unsuccessful attack.
Deception technology changes the asymmetry of an attack by preparing an organisation regardless of the type of cyberattack, providing early detection regardless of attack surface, collecting information on the origin of the attack, tools, techniques, and motivation, along with providing attack analysis that empowers the defender to act decisively, automate response, and build proactive defences.
The organisation will also benefit from high-fidelity alerts that are actionable and automations for understanding an attack, information sharing, and responding to incidents.
4. How does a cyber deception plan add value to risk management ?
The value of having a cyber deception plan is multi-fold and can add value in both IT asset risk management and in digital risk management:
1. Early and accurate detection of threats that have bypassed perimeter defences. This includes early reconnaissance, lateral movement, and often hard-to-detect credential theft.
2. Insight into the reliability of the defender’s security posture and how an attacker is able to breach defences. This will provide a more complete view of your network’s strengths and weaknesses and identify the areas where the adversary will most likely try to gain access.
3. Awareness of risks and business functions likely to be attacked. Properly planning, designing, and implementing a deception campaign can identify previously unknown and potentially vulnerable assets along with the paths an attacker could utilise to move through an environment.
4. The ability to deceive, direct, and guide the adversary away from critical assets, denying the perpetrator of his goals and revealing how he wants to move through the network. This power to mislead and/or confuse attackers without their knowledge can then be applied to strengthen overall defensive capabilities.
5. Mitigation of increased security risk models associated with the use of new technologies such as IoT or cloud, which may be needed for competitive business offerings and services.
6. Collection of adversary intelligence that can be applied decisively to stop an attack, threat hunt, and eradicate a threat. Then, an organisation can set up deceptions and traps to mitigate the risk of return.
7. Proof during pen testing or for ongoing vulnerability assessment of security program resiliency or risks associated with insiders and supply chain.
8. Deception also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over or abandon their efforts completely. Increasing the complexity of an attack can be a strong deterrent and result in the reduced likelihood of being a primary target for attack.
5. Advanced threats are proven to bypass perimeter defences so how can deception benefit an organisation once breached?
Many will argue that cyberwarfare has now moved inside the network and that there is no realistic way to keep attackers completely out. Deception technology is built for an active defence that detects in-network attackers early and accurately, and which provides the root cause analysis required to understand where an attacker started, their tools, techniques, methods, and motivation.
Benefits include the ability to change the asymmetry of an attack and force the attacker to be right 100% of the time or reveal their presence.
It provides the defenders with offensive strategies designed to detect a threat early and accurately regardless of attack vector or surface, and the adversary intelligence required to quickly stop an attack and fortify defences.
The very nature of deception technology gives the organisations a number of advantages: they are forced to waste time and resources and are directed by the defenders to a particular pattern of behaviour. It also causes the adversary to reveal their own weaknesses and methods; this creates an active loop through which defenders can improve their own defences.
6. What can deception techniques help us to understand more about the cybercriminals’ activities?
Unlike other security controls that are designed to simply stop an attack, deception technology provides a high interaction deceptive environment where the attacker’s activities can be studied for threat intelligence and information on tools, techniques, targets, and how the threat moves through the network. Credential and application deceptions will also offer insight into attempted theft and reuse of legitimate credentials. Functionality to safely communicate with Command and Control will also offer valuable insight into polymorphic or time-triggered activity and will improve a defender’s ability to eradicate threats and prevent their return. Advanced features like decoy documents are also useful in understanding the attacker’s target and providing geo-location information.
7. How do you see deception technology advancing in the future?
Given its accuracy and efficacy, deception is becoming a de facto detection control within the security stack. Many organisations are specifically budgeting for deception projects for 2019 and I expect this will continue to fuel the rapid trend of adoption. Additionally, over the next two years, the deception technology market is estimated to grow 684% according to the Cybersecurity Imperative report.
Deception technology has matured immensely over the last few years and now has globally proven technology for network, endpoint, application, and data deceptions across a wide range of attack surfaces including data centres, cloud, user networks, remote offices, IoT, ICS, POS, and infrastructure. Additionally, comprehensive deception platforms facilitate the collection of adversary intelligence, and through native integrations, automate incident response. The use of machine-learning has also removed deployment and operational complexity, making deception suitable for both large and smaller organisations. Managed service offerings will also be more widely available to support midmarket and smaller business needs. It is important to note that there are very substantial capability differences amongst deception providers. It is critical to do the research to make sure the solution will meet the business’s current and future requirements.
source techradar
Industry: Cyber Security News

Latest Jobs
-
- Account Director | Cyber Security Consulting | UK - South East
- London
- N/A
-
Account Director | Cyber Security Consulting - Financial Services | UK - South East. New Role due to Growth We are looking for an experienced Account Director to develop and expand existing relationships across the financial services sector, working with investment firms, asset managers, private equity groups and strategic partners to deliver intelligent cyber consulting and a bespoke Cyber product offerings. You will act as a trusted advisor, helping organisations strengthen digital resilience, manage third-party and regulatory risk and adopt a proactive approach to cyber assurance. Key Responsibilities Manage a defined portfolio of financial clients, understanding business priorities and aligning tailored cyber solutions. Drive new client engagement while nurturing existing partnerships through a consultative, long-term approach. Present the benefits of advanced cyber services including threat intelligence, vulnerability management, incident readiness, and continuous risk monitoring. Collaborate with technical and delivery teams to ensure smooth engagement from proposal through to implementation and ongoing support. Prepare proposals, negotiate commercial terms, and clearly articulate value and business outcomes. Build trusted relationships at senior and board level. Ideal Profile Strong background in cybersecurity, consulting, or risk management within financial services. Skilled communicator with proven success managing and growing key accounts. Able to translate complex technical insight into commercial and strategic value for clients. Confident engaging with senior stakeholders and decision makers. Please note: Sponsorship is not available.
-
- SOC Analyst- Level 2- Hybrid Greater London
- London
- N/A
-
SOC Analyst- Level 2- Hybrid Greater London New opportunity created through continued growth. We’re looking for a SOC Analyst (Level 2) to strengthen a growing managed security team. You’ll work hands-on with Microsoft Sentinel and Defender XDR, investigating alerts, responding to incidents, and helping improve how clients stay protected. This role is ideal for someone who enjoys unravelling security events, thinking critically under pressure, and making a real difference day to day. What you’ll do · Investigate and respond to security activity across SIEM and endpoint tools · Analyse network and log data to uncover real threats · Support automation initiatives to streamline response processes · Help maintain visibility, data flow, and performance across SOC platforms What you’ll need · Practical experience using Microsoft Sentinel and Defender XDR · Confident working with KQL or similar query languages · Understanding of attacker tactics and response techniques · SC-200 certifications would be nice. · Experience supporting multiple customer environments Please note: Sponsorship is not available.
-
- Senior SOC Engineer - UK - New role due to growth
- London
- N/A
-
Senior SOC Engineer – New role due to growth We are hiring a Senior SOC Engineer to take the lead across security operations for a growing managed service. You will lead detection, response and onboarding activity across multiple clients, helping shape how the SOC evolves. Expect variety; from fine-tuning alerts and threat hunting to supporting customers and mentoring junior analysts. What you’ll bring · Strong experience across SIEM, EDR, and threat detection tools · Confident working with customers in a managed service environment · Skilled in scripting or query languages such as KQL or PowerShell · Knowledge of frameworks like NIST, ISO27001, MITRE ATT&CK · Calm communicator with a problem-solving mindset · Experience with Azure Lighthouse or delegated access models · Prior involvement in automation or SOC improvement projects Location: South East England- Hybrid role Please note: Sponsorship cannot be offered now or in the future.
-
- SENIOR Cyber Risk Consultant. Cyber Risk consultancy - the right way. UK. Hybrid - Remote first
- United Kingdom
- N/A
-
Senior Cyber Risk Consultant needed. New position due to growth Seeking a passionate Cyber Security Risk Consultant who enjoys helping clients make a different to their business. Dedicated training budgets, Unlimited holiday structured career path, Work life balance guaranteed Cyber Risk consultancy done the right way. A successful individual will have experience working with clients to identify business cyber security risk. This is a remote first opportunity which means you will spend the majority of your time working remotely. You will however spend some time meeting clients as well as meeting up with the team on a monthly basis.. Some of the nice to have certifications. CRISC, ISO27001 Lead implementer, CISA, CISM, CISSP Unable to offer Visa sponsorship now or in the future.