How security teams are turning to decoy networks

Well-designed decoy networks can thwart and reveal attackers in the early stages of attacks.
17 June 2019

Security teams are turning to decoys. Source: Shutterstock

Some of the greatest survivors in nature are those that fool predators in order to derail their attack. This allows them to realise the threat and make their escape or fight back.

Take, for instance, the juvenile Damselfish. When threatened by predators, this marine marvel shrinks its eyes and grows a large spot on its tail to look like an eye. Having such a decoy deceives anything wishing to dine on the Damselfish into attacking the tail rather than the head. The fish can then swim off to safety while at the same time circumventing its demise. Similar forms of cunningness can also be seen with butterfly fish, octopus, chameleons, and tree frogs, which are all adept at using various forms of camouflage as a defense against predators.

In cyber deception, decoys and lures offer similar benefits in their use of camouflage to keep corporate networks and their information safe. This creates an advantage that other security tools cannot do. By hiding in plain sight, attackers can be tricked and derailed, causing adversaries to make mistakes and turning the tables on those that try to infiltrate systems.

Deceiving the deceiver

Cyber deception defense tactics protect a network by convincing a cybercriminal that they are accessing the actual network, when in fact they are wandering aimlessly through a virtual “hall of mirrors”.

This starts by providing the in-network attacker with attractive targets that replicate the look, feel, and behavior of the actual network. This is done through the use of decoy networks, which are based on the same operating systems, applications, and identities of the production systems. Placing attractive “breadcrumbs” based on credentials and mapped drives will also proactively and quickly lure the attacker into the deception environment. So too is populating the decoy with recent, seemingly valuable, content that the attacker would expect to find. Being attractive is important, but it must also be balanced with authenticity. As such, decoy networks should not be too obvious or easy to infiltrate or attackers will promptly identify them as fakes and avoid them.

A well-designed decoy network will not only reduce risk by detecting threats early but will also benefit the defender with intelligence they could not gather elsewhere. This can be used to reduce response time down from hours to minutes and can provide a competitive advantage by using this information to fortify defenses. Whether the motivation is in the fidelity of the detection or in the desire to gather adversary intelligence and forensics, deception is providing a unique offering and one that the adversary is not often expecting or prepared for.

There are clear benefits to adding a synthetic deception environment to your network. As soon as a would-be predator interacts with the decoy, they immediately reveal their presence and their activities can then be monitored and recorded. This is a unique advantage to defenders that can only be achieved within a deceptive environment. The actions taken by the attacker within the decoy system are immediately gathered and analyzed to reveal indicators of compromise and their tactics, techniques, and procedures, as well as highlighting what they might be looking to access.

Such intelligence empowers IT security teams to not only deal with the present danger but also to eradicate and defend against future threats. There is also the benefit that the cybercriminal will be wasting time and resources trying to infiltrate further and further into a system that will ultimately offer up no reward. When the attacker eventually realizes they are in a fake network, they will either have to start their infiltration all over again or, not wanting to deal with the complexity a deception network adds, will move on and look for other, easier targets.

For maximum adversary intelligence, it is useful for the attacker to believe for as long as possible that they are in the actual production network. This requires a deception environment that looks and behaves like the real thing and includes a safe “sandboxed” environment so that the actions can be studied without risk to their organization. Typically, an attacker has the benefit of gathering intelligence with every attack. With deception’s ability to engage the adversary, the playing field is leveled and the defender can now gain critical information to proactively fight back.

The use of cyber deception has grown rapidly based on its ability to trick predators and accurately detect their presence. As often seen with our marine life, deception will use various forms of deception including tactics like mimicry, blending in, and staying in schools to deceive the attacker into falling for decoy networks. Sustaining an attractive setting also fools the adversary into revealing their ways, which in turn arms the defender with speed and maneuverability, which are other useful defense mechanisms for combatting sharks in the water.

This article was contributed by Carolyn Crandall, Chief Deception Officer at Attivo Networks.