How organisations can adopt deception to outsmart cyber attackers
Dealing with cyberattacks on a daily basis has become the reality for businesses today. However, few organisations take a proactive response. Instead, they are left to deal with the fallout after an attack happens and the financial and reputational damage to their business has already occurred.
TechRadar spoke with Attivo Networks’ Chief Deception Officer Carolyn Crandall who suggests that businesses adopt the long established military technique of ‘deception’ to help them gain an edge over cybercriminals.
1. Deception has been long been used in the act of war: how can this now be used in the cyber security industry?
Deception has been used in war, law, sports, and gambling for millennia to create uncertainty and confusion in the adversary’s mind, which will delay and manipulate their efforts, and will influence and misdirect their perceptions and decision processes.
Military deception by definition “is intended to deter hostile actions, increase the success of friendly defensive actions, or to improve the success of any potential friendly offensive action.”
Cyber deception aligns with this definition and is based on planned, deliberate, and controlled actions designed to obfuscate the network. In turn, this influences the attacker to make a mistake, spend more time distinguishing real from fake, and makes the economics of the attack undesirable, thereby forcing the attacker to take actions that are beneficial to the defender’s security posture.
Cyber deception works by creating decoys that appear as production assets and are designed to be attractive to the adversary. This is paired with deception bait or lures that display as enticing credentials, applications, or data and will lead the attacker into engaging with the deception environment. The use of deception efficiently leads the attacker through the network, revealing motives, techniques, and intentions, which can be used for collecting adversary intelligence, generating actionable alerts, and accelerating incident response.
As with physical warfare, by using deceptive techniques, a cyber defender can mislead and/or confuse attackers, thus enhancing their defensive capabilities over time. The ability to deceive, direct, and guide the adversary away from critical assets, denies the attacker the ability to achieve his goals and reveals how he is able to move through the network. It also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over.
2. How does deception differ to the traditional honeypot?
One of my favourite questions, “Why isn’t this just a honeypot?”. It’s really like comparing a horse and buggy to a Tesla. Honeypots were originally designed for research, and a decoy was placed outside the network to determine who was attacking the organisation. It was not designed to scale and was highly inefficient to operate.
Commercial-deception technology is designed for in-network threat detection and is able to detect threats from all vectors and across all attack surfaces.
To achieve this, deception must pass 3 major hurdles. First, to be attractive and believable; second, to scale to cover all attack surfaces; and third, to be easy to operate. To be attractive and believable, deception must appear identical to the production environment, running the same operating systems and services.
Earlier honeypot technology was emulated, and it did not take an attacker long to figure out how to identify and avoid them. Comprehensive deception technology platforms support virtually unlimited scalability across everything from user networks to cloud datacenters to unique IoT or ICS deployments. It is also important to be able to plant lures on the endpoint to entice and redirect attackers into the deception environment. Honeypots lack this functionality. The last material difference is in the preparation, deployment, and operations of deception.
Machine-learning now completely automates this process in an hour versus honeypots that need to be manually set up and rebuilt after an attack. The intuitive nature of deception makes it very simple to manage whereas a honeypot required highly skilled resources. The latest approaches to deception also provide automated attack analysis, automations for incident response, as well as visibility tools for attack paths, network device changes, and attack time-lapsed replay. These features simply don’t exist in honeypots.
3. How can deception techniques enable organisations to gain the upper hand against cyber attackers?
Most traditional security controls and technologies are designed to create a boundary around computer systems and are solely focused on trying to stop illicit access attempts at the perimeter. These “walls” are constantly pummeled by automated exploitation tools and attackers will continuously conduct reconnaissance on computers or conduct phishing campaigns until they find a vulnerability to infiltrate the network unstopped and undetected.
Unfortunately, throughout the process of stopping the attack, system defenders will typically learn very little - or nothing at all - about the intruders’ targets or motivations during this process. The desire to immediately deflect an attack, sadly, also comes at a price. One that can inadvertently make the task of defending a computer system harder, but the adversary stronger after every unsuccessful attack.
Deception technology changes the asymmetry of an attack by preparing an organisation regardless of the type of cyberattack, providing early detection regardless of attack surface, collecting information on the origin of the attack, tools, techniques, and motivation, along with providing attack analysis that empowers the defender to act decisively, automate response, and build proactive defences.
The organisation will also benefit from high-fidelity alerts that are actionable and automations for understanding an attack, information sharing, and responding to incidents.
4. How does a cyber deception plan add value to risk management ?
The value of having a cyber deception plan is multi-fold and can add value in both IT asset risk management and in digital risk management:
1. Early and accurate detection of threats that have bypassed perimeter defences. This includes early reconnaissance, lateral movement, and often hard-to-detect credential theft.
2. Insight into the reliability of the defender’s security posture and how an attacker is able to breach defences. This will provide a more complete view of your network’s strengths and weaknesses and identify the areas where the adversary will most likely try to gain access.
3. Awareness of risks and business functions likely to be attacked. Properly planning, designing, and implementing a deception campaign can identify previously unknown and potentially vulnerable assets along with the paths an attacker could utilise to move through an environment.
4. The ability to deceive, direct, and guide the adversary away from critical assets, denying the perpetrator of his goals and revealing how he wants to move through the network. This power to mislead and/or confuse attackers without their knowledge can then be applied to strengthen overall defensive capabilities.
5. Mitigation of increased security risk models associated with the use of new technologies such as IoT or cloud, which may be needed for competitive business offerings and services.
6. Collection of adversary intelligence that can be applied decisively to stop an attack, threat hunt, and eradicate a threat. Then, an organisation can set up deceptions and traps to mitigate the risk of return.
7. Proof during pen testing or for ongoing vulnerability assessment of security program resiliency or risks associated with insiders and supply chain.
8. Deception also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over or abandon their efforts completely. Increasing the complexity of an attack can be a strong deterrent and result in the reduced likelihood of being a primary target for attack.
5. Advanced threats are proven to bypass perimeter defences so how can deception benefit an organisation once breached?
Many will argue that cyberwarfare has now moved inside the network and that there is no realistic way to keep attackers completely out. Deception technology is built for an active defence that detects in-network attackers early and accurately, and which provides the root cause analysis required to understand where an attacker started, their tools, techniques, methods, and motivation.
Benefits include the ability to change the asymmetry of an attack and force the attacker to be right 100% of the time or reveal their presence.
It provides the defenders with offensive strategies designed to detect a threat early and accurately regardless of attack vector or surface, and the adversary intelligence required to quickly stop an attack and fortify defences.
The very nature of deception technology gives the organisations a number of advantages: they are forced to waste time and resources and are directed by the defenders to a particular pattern of behaviour. It also causes the adversary to reveal their own weaknesses and methods; this creates an active loop through which defenders can improve their own defences.
6. What can deception techniques help us to understand more about the cybercriminals’ activities?
Unlike other security controls that are designed to simply stop an attack, deception technology provides a high interaction deceptive environment where the attacker’s activities can be studied for threat intelligence and information on tools, techniques, targets, and how the threat moves through the network. Credential and application deceptions will also offer insight into attempted theft and reuse of legitimate credentials. Functionality to safely communicate with Command and Control will also offer valuable insight into polymorphic or time-triggered activity and will improve a defender’s ability to eradicate threats and prevent their return. Advanced features like decoy documents are also useful in understanding the attacker’s target and providing geo-location information.
7. How do you see deception technology advancing in the future?
Given its accuracy and efficacy, deception is becoming a de facto detection control within the security stack. Many organisations are specifically budgeting for deception projects for 2019 and I expect this will continue to fuel the rapid trend of adoption. Additionally, over the next two years, the deception technology market is estimated to grow 684% according to the Cybersecurity Imperative report.
Deception technology has matured immensely over the last few years and now has globally proven technology for network, endpoint, application, and data deceptions across a wide range of attack surfaces including data centres, cloud, user networks, remote offices, IoT, ICS, POS, and infrastructure. Additionally, comprehensive deception platforms facilitate the collection of adversary intelligence, and through native integrations, automate incident response. The use of machine-learning has also removed deployment and operational complexity, making deception suitable for both large and smaller organisations. Managed service offerings will also be more widely available to support midmarket and smaller business needs. It is important to note that there are very substantial capability differences amongst deception providers. It is critical to do the research to make sure the solution will meet the business’s current and future requirements.
source techradar
Industry: Cyber Security News
Latest Jobs
-
- Account Manager - IT Services
- Germany
- €90000 plus OTE and Car
-
Are you a deal closer with a hunter mindset? Do you know how to uncover business pain points, and turn them into long-term digital transformation partnerships? Our Client are growing their sales force across Germany and looking for an ambitious, straight-talking Account Manager to take the lead on new client acquisition. You’ll focus on mid-sized to large enterprises across Germany helping to shape their digital future with tailored IT solutions in Workplace, Cloud, and Security. • Drive Growth: Own the full sales cycle for new business across your region. • Solution Sell: Build bespoke offers in Security, Digital Workplace and Cloud solutions • Build Relationships: Establish a solid pipeline through smart prospecting, marketing-driven leads, and your own network. • Represent a brand known for trust, delivery, and tech excellence—with 4,000 employees globally and a growing team within Germany. What You Bring • Proven new logo sales experience in the IT services space (not hardware!) • Deep knowledge in one or more of: Cybersecurity, Digital Workplace, or Cloud • Confidence to lead enterprise deals and pitch directly to senior stakeholders • Fluent German and good English skills Sind Sie ein Abschlussprofi mit Hunter-Mentalität? Wissen Sie, wie man geschäftliche Pain Points identifiziert und in langfristige Partnerschaften zur digitalen Transformation verwandelt? Unser Kunde baut derzeit sein Vertriebsteam in ganz Deutschland aus und sucht eine ambitionierte, ehrliche Persönlichkeit als Account Manager, die den Lead bei der Neukundengewinnung übernimmt. Ihr Fokus liegt auf mittelständischen bis großen Unternehmen in Deutschland, denen Sie mit maßgeschneiderten IT-Lösungen in den Bereichen Workplace, Cloud und Security den Weg in die digitale Zukunft ebnen. Ihre Aufgaben • Wachstum vorantreiben: Verantwortung für den gesamten Vertriebszyklus im Neugeschäft Ihrer Region. • Lösungsorientierter Vertrieb: Entwicklung individueller Angebote in den Bereichen Security, Digital Workplace und Cloud-Lösungen. • Beziehungen aufbauen: Aufbau einer stabilen Pipeline durch gezielte Ansprache, marketinggenerierte Leads und Ihr eigenes Netzwerk. • Marke repräsentieren: Werden Sie Teil eines Unternehmens mit 4.000 Mitarbeitenden weltweit und einem stark wachsenden Team in Deutschland – bekannt für Vertrauen, Verlässlichkeit und technologische Exzellenz. Was Sie mitbringen • Nachgewiesene Erfahrung in der Neukundenakquise im Bereich IT-Services (kein Hardwarevertrieb!) • Fundiertes Wissen in mindestens einem der Bereiche: Cybersecurity, Digital Workplace oder Cloud • Selbstbewusstes Auftreten im Umgang mit Enterprise-Deals und Entscheidungsträgern auf Top-Level • Verhandlungssichere Deutschkenntnisse und gute Englischkenntnisse
-
- Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance
- London
- To attract the right person
-
Job Title: Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance Location: Hybrid remote | London / Berkshire Overview: Senior SOC Analyst Level 3 to join a specialist Managed Security Services business. You will be responsible for advanced threat hunting / triage, incident response etc with a strong focus on the Microsoft Security Stack. Key Responsibilities: Lead and resolve complex security incidents / escalations Conduct advanced threat hunting using the Microsoft Security Stack. Build, optimise and maintain workbooks, rules, analytics etc. Correlate data across Microsoft 365 Defender, Azure Defender and Sentinel. Perform root cause analysis and post-incident reporting. Aid in mentoring and upskilling Level 1 and 2 SOC analysts. Required Skills & Experience: The ability to achieve UK Security Clearance (SC) – existing clearance ideal. (Sorry no visa applications) Current experience working with a SOC environment Microsoft Sentinel: Development and tuning of custom analytic rules. Workbook creation and dashboarding. Automation using Playbooks and SOAR integration. Kusto Query Language (KQL): Writing complex, efficient queries for advanced threat hunting and detection. Correlating data across key tables (e.g., SignInLogs, SecurityEvent, OfficeActivity, DeviceEvents). Developing custom detection rules, optimising performance, and reducing false positives. Supporting Sentinel Workbooks, Alerts, and Playbooks through advanced KQL use. Deep understanding of incident response, threat intelligence and adversary techniques (MITRE ATT&CK framework). Strong knowledge of cloud and hybrid security, particularly within Azure. Additional Requirements: Must hold or be eligible to achieve a minimum of Security Clearance (SC) level. Nice to have certifications (e.g., SC-200, AZ-500, GIAC) are desirable. Strong problem-solving and analytical skills. Excellent communication for clear documentation and team collaboration. Please follow Wheaton’s Law.
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- CyberArk Architect
- London
- Upto £110,000 plus bonus and benefits
-
Are you ready to lead from the front and drive innovation in the Identity & Access Management (IAM) space? We’re looking for a seasoned CyberArk Architect who has CDE-CPC ideally or experience with privilege Cloud, someone who can lead with vision, execute with precision, and inspire teams to deliver excellence. As a key leader in our organisation, you’ll bring your strong business acumen and a technology-focused, innovative mindset to the table. You’ll be driving strategic initiatives, shaping transformation programs, and empowering teams to think big and deliver even bigger. Acting as a subject matter expert in CyberArk Leading strategic transformations in: Identity Governance Privileged Access Management (PAM) Access Management Customer Identity and Access Management (CIAM) Building and maintaining strong, collaborative relationships within the team Communicating clearly and confidently — both written and verbal — to deliver updates, raise potential issues, and share insights If you are interested in the above position we are looking for people with: deep expertise and a successful track record in IAM strategy, delivery, or assurance with CyberArk Hold relevant certifications such as CDE in Privileged Cloud or Guardian Have experience in a client-facing role (preferred, but not essential) Thrive in a hybrid working environment and are available to work from our or client London office three days a week Lead with clarity, communicate with impact, and adapt quickly to changing priorities