Deception: what it is, how it works and why it is essential for cybersecurity

Estimated reading time: 6 minutes

Deception: what is it and what is it for?

Cyberdeception, also known as “decemption“, is an emerging cybersecurity technique that is increasingly popular among companies. In this article we will see in detail what it is, how it works and what advantages it offers for protection against advanced cyber threats.

What is deception?

Cyberdeception or “decemption” is the deliberate distribution of false information within a system to deceive a potential attacker. The goal is to confuse and distract the cybercriminal, making him waste precious time and hindering his activity.

It is a proactive cyber defense technique that allows you to trace and study the behavior of the intrusion, to then respond and neutralize the threat. The principle is to mislead the hacker, exploiting social engineering techniques in reverse.

Instead of protecting real information, deception creates fake resources – files, networks, services – that look real. The attacker ends up hitting decoys and traps that reveal his intentions and allow him to be stopped before he reaches critical assets.

How computer science works

The implementation of the deception takes place through specific tools and technologies that allow the distribution of false information within the IT infrastructure. These fake resources are monitored for any unauthorized access attempts.

Tricky traps

Fake resources are created such as fake file servers, fake databases, fake web pages, fake directory services, fake login credentials. These traps attract the attention of the hacker who ends up wasting valuable time trying to access them.

Alarms and alerts

Each interaction with the fake resources immediately generates an alert that signals the intrusion in progress. Deception tools are able to classify the threat level and provide an automatic response.

Activity tracking

Deceptive traps allow you to monitor the attacker’s behavior in real time, gathering valuable information on the techniques used and on the objectives.

Speed of response

Once a potential intrusion has been identified, the deception platform is able to respond immediately, for example by isolating the compromised system or the suspicious IP by blocking traffic.

What advantages does computer science offer?

The use of deception techniques has several advantages to raise the level of cybersecurity of an organization:

• Early detection of threats: Traps allow you to detect any attacks in progress early, before they reach your valuable assets.
• Proactive protection: deception allows you to switch from a reactive to a proactive posture, deceiving the attacker and hindering his activity.
• Analysis of attack techniques: by monitoring the traps it is possible to gather valuable information on the tactics, techniques and procedures (TTPs) of the cybercriminal.
• Better resource allocation: Rapid detection of the threat allows you to optimize the use of resources for the response, avoiding unnecessary “treasure hunts”.
• Effectiveness against advanced threats: the detection allows to detect and block even never seen before attacks, very sophisticated and without a signature.
• Integration with other defenses: Deception techniques can integrate seamlessly with firewalls, antivirus, intrusion detection systems (IDS), and more.
• Low costs: implementing deception requires a relatively low investment in economic terms, especially considering the benefits.

Use cases of deception

Deception can be effectively employed in several use cases, including:

Protection of critical assets

By creating deceptive traps around servers, databases, business critical applications, it is possible to immediately identify any targeted attacks and protect these assets.

Detection of internal attacks

Deception techniques allow you to quickly identify unauthorized access and anomalous activity by compromised internal users.

Securing OT and IoT environments

In industrial environments with industrial control systems (OT) and the Internet of Things (IoT) the decision adds an extra layer of security.

Response to advanced incidents

In the event of advanced breaches already underway, deception techniques can effectively support containment and response activities.

Cloud and virtualized environments

The dynamic and distributed nature of the cloud and virtual data centers makes security complex: deception can fill gaps and vulnerabilities.

Deception tools: Honeypot, Honeytoken, Honeyfile

Some specific tools are used to distribute false information and implement IT deception, including:

Honeypot

These are trap systems designed to attract attackers by making them believe that they are real resources of the information system. A honeypot simulates services and vulnerabilities to monitor and study attack techniques.

Honeytoken

Fake information such as bogus credentials, invalid API keys, trap passwords. They are scattered throughout the system to be monitored and detect unauthorized access.

Honeyfile

Inauthentic files placed as decoys to attract attackers and monitor their behavior. They can also contain malicious code to “infect” anyone who tries to use them without permission.

Deception: an insight into the techniques

To understand in more detail the functioning of IT deception, let’s analyze some of the main techniques used.

Creating fake services

Fake services, such as a fake FTP server or a fake LDAP directory service, can be deployed on the network to attract the attacker’s attention. These will try to interact with you by revealing their intentions.

Generating false errors

During the intrusion, false error messages can be generated to confuse the attacker and induce him to waste precious time. For example a fake “file not found” or “permission denied”.

Creation of honeyfiles

As mentioned, honeyfiles are trap files designed to lure in attackers. They can be named catchy, like “password.txt” or “credit card data.xlsx”. Logging in reveals the intrusion.

Traffic mirroring

The deception platform can replicate and mirror real network traffic to confuse the attacker as to which resources are genuine.

Information camouflage

By subtly altering data such as usernames, IP addresses, domain names, it is possible to trick the hacker into making revealing mistakes.

Honeytokens in technology stacks

Honeytokens can be introduced into various layers of the technology stack: fake user accounts, fake API keys, invalid cloud credentials.

Decoy document injection

It consists of introducing decoys into systems in the form of false documents containing malicious code. Running the code helps detect and track the intrusion.

Dynamic deception

Deception techniques can be applied dynamically by continuously changing the attack surface to confuse the opponent.

Conclusion: why deception is critical today

In a constantly evolving threat landscape, with increasingly sophisticated attacks, perimeter protection alone is no longer enough. Cyber awareness represents a new indispensable level of defense.

By proactively deceiving adversaries, intrusions can be detected early and responded to quickly, before damage occurs. Deception tools allow you to acquire superior threat intelligence on the enemy to adapt your defenses.

The Active Defense Deception service of the Secure Online Desktop, integrating deception techniques with threat hunting and threat intelligence, can significantly raise the level of security of a company against the most advanced threats.

Useful links:

• Miter Att&ck™: An Overview
• Spammer techniques: how do they exploit e-mail?
• Ethical hacking: defend knowing how to attack
• Penetration testing vs. Breach Attack Simulation: differences and advantages for complete IT security