decezione informatica Piergiorgio Venuti

Deception: what it is, how it works and why it is essential for cybersecurity

Estimated reading time: 6 minutes

Deception: what is it and what is it for?

Cyberdeception, also known as “decemption“, is an emerging cybersecurity technique that is increasingly popular among companies. In this article we will see in detail what it is, how it works and what advantages it offers for protection against advanced cyber threats.

What is deception?

Cyberdeception or “decemption” is the deliberate distribution of false information within a system to deceive a potential attacker. The goal is to confuse and distract the cybercriminal, making him waste precious time and hindering his activity.

It is a proactive cyber defense technique that allows you to trace and study the behavior of the intrusion, to then respond and neutralize the threat. The principle is to mislead the hacker, exploiting social engineering techniques in reverse.

Instead of protecting real information, deception creates fake resources – files, networks, services – that look real. The attacker ends up hitting decoys and traps that reveal his intentions and allow him to be stopped before he reaches critical assets.

How computer science works

The implementation of the deception takes place through specific tools and technologies that allow the distribution of false information within the IT infrastructure. These fake resources are monitored for any unauthorized access attempts.

Tricky traps

Fake resources are created such as fake file servers, fake databases, fake web pages, fake directory services, fake login credentials. These traps attract the attention of the hacker who ends up wasting valuable time trying to access them.

Alarms and alerts

Each interaction with the fake resources immediately generates an alert that signals the intrusion in progress. Deception tools are able to classify the threat level and provide an automatic response.

Activity tracking

Deceptive traps allow you to monitor the attacker’s behavior in real time, gathering valuable information on the techniques used and on the objectives.

Speed of response

Once a potential intrusion has been identified, the deception platform is able to respond immediately, for example by isolating the compromised system or the suspicious IP by blocking traffic.

What advantages does computer science offer?

The use of deception techniques has several advantages to raise the level of cybersecurity of an organization:

  • Early detection of threats: Traps allow you to detect any attacks in progress early, before they reach your valuable assets.
  • Proactive protection: deception allows you to switch from a reactive to a proactive posture, deceiving the attacker and hindering his activity.
  • Analysis of attack techniques: by monitoring the traps it is possible to gather valuable information on the tactics, techniques and procedures (TTPs) of the cybercriminal.
  • Better resource allocation: Rapid detection of the threat allows you to optimize the use of resources for the response, avoiding unnecessary “treasure hunts”.
  • Effectiveness against advanced threats: the detection allows to detect and block even never seen before attacks, very sophisticated and without a signature.
  • Integration with other defenses: Deception techniques can integrate seamlessly with firewalls, antivirus, intrusion detection systems (IDS), and more.
  • Low costs: implementing deception requires a relatively low investment in economic terms, especially considering the benefits.

Use cases of deception

Deception can be effectively employed in several use cases, including:

Protection of critical assets

By creating deceptive traps around servers, databases, business critical applications, it is possible to immediately identify any targeted attacks and protect these assets.

Detection of internal attacks

Deception techniques allow you to quickly identify unauthorized access and anomalous activity by compromised internal users.

Securing OT and IoT environments

In industrial environments with industrial control systems (OT) and the Internet of Things (IoT) the decision adds an extra layer of security.

Response to advanced incidents

In the event of advanced breaches already underway, deception techniques can effectively support containment and response activities.

Cloud and virtualized environments

The dynamic and distributed nature of the cloud and virtual data centers makes security complex: deception can fill gaps and vulnerabilities.

Deception tools: Honeypot, Honeytoken, Honeyfile

Some specific tools are used to distribute false information and implement IT deception, including:

Honeypot

These are trap systems designed to attract attackers by making them believe that they are real resources of the information system. A honeypot simulates services and vulnerabilities to monitor and study attack techniques.

Honeytoken

Fake information such as bogus credentials, invalid API keys, trap passwords. They are scattered throughout the system to be monitored and detect unauthorized access.

Honeyfile

Inauthentic files placed as decoys to attract attackers and monitor their behavior. They can also contain malicious code to “infect” anyone who tries to use them without permission.

Deception: an insight into the techniques

deception

To understand in more detail the functioning of IT deception, let’s analyze some of the main techniques used.

Creating fake services

Fake services, such as a fake FTP server or a fake LDAP directory service, can be deployed on the network to attract the attacker’s attention. These will try to interact with you by revealing their intentions.

Generating false errors

During the intrusion, false error messages can be generated to confuse the attacker and induce him to waste precious time. For example a fake “file not found” or “permission denied”.

Creation of honeyfiles

As mentioned, honeyfiles are trap files designed to lure in attackers. They can be named catchy, like “password.txt” or “credit card data.xlsx”. Logging in reveals the intrusion.

Traffic mirroring

The deception platform can replicate and mirror real network traffic to confuse the attacker as to which resources are genuine.

Information camouflage

By subtly altering data such as usernames, IP addresses, domain names, it is possible to trick the hacker into making revealing mistakes.

Honeytokens in technology stacks

Honeytokens can be introduced into various layers of the technology stack: fake user accounts, fake API keys, invalid cloud credentials.

Decoy document injection

It consists of introducing decoys into systems in the form of false documents containing malicious code. Running the code helps detect and track the intrusion.

Dynamic deception

Deception techniques can be applied dynamically by continuously changing the attack surface to confuse the opponent.

Conclusion: why deception is critical today

In a constantly evolving threat landscape, with increasingly sophisticated attacks, perimeter protection alone is no longer enough. Cyber awareness represents a new indispensable level of defense.

By proactively deceiving adversaries, intrusions can be detected early and responded to quickly, before damage occurs. Deception tools allow you to acquire superior threat intelligence on the enemy to adapt your defenses.

The Active Defense Deception service of the Secure Online Desktop, integrating deception techniques with threat hunting and threat intelligence, can significantly raise the level of security of a company against the most advanced threats.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473) October 10, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Oct 09>
  • APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1 October 8, 2024
    Posted by Apple Product Security via Fulldisclosure on Oct 07APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1 iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121373. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Media Session Available for: iPhone […]
  • Some SIM / USIM card security (and ecosystem) info October 4, 2024
    Posted by Security Explorations on Oct 04Hello All, Those interested in SIM / USIM card security might find some information at our spin-off project page dedicated to the topic potentially useful: https://security-explorations.com/sim-usim-cards.html We share there some information based on the experiences gained in the SIM / USIM card security space, all in a hope this […]
  • SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288) October 1, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 30>
  • Backdoor.Win32.Benju.a / Unauthenticated Remote Command Execution September 29, 2024
    Posted by malvuln on Sep 28Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Benju.a Vulnerability: Unauthenticated Remote Command Execution Family: Benju Type: PE32 MD5: 88922242e8805bfbc5981e55fdfadd71 SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700...
  • Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH) September 29, 2024
    Posted by malvuln on Sep 28Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Prorat.jz Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware […]
  • Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE) September 29, 2024
    Posted by malvuln on Sep 28Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Amatu.a Vulnerability: Remote Arbitrary File Write (RCE) Family: Amatu Type: PE32 MD5: 1e2d0b90ffc23e00b743c41064bdcc6b SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297 Vuln ID: MVID-2024-0698 Dropped...
  • Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH) September 29, 2024
    Posted by malvuln on Sep 28Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Agent.pw Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz […]
  • Backdoor.Win32.Boiling / Remote Command Execution September 29, 2024
    Posted by malvuln on Sep 28Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Boiling Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to […]
  • Defense in depth -- the Microsoft way (part 88): a SINGLE command line shows about 20, 000 instances of CWE-73 September 29, 2024
    Posted by Stefan Kanthak on Sep 28Hi @ll, CWE-73: External Control of File Name or Path is a well-known and well-documented weakness. as well as demonstrate how to (ab)use just one instance of this weakness (introduced about 7 years ago with Microsoft Defender, so-called "security software") due to...

Customers

Newsletter

{subscription_form_1}