How security teams are turning to decoy networks
Some of the greatest survivors in nature are those that fool predators in order to derail their attack. This allows them to realise the threat and make their escape or fight back.
Take, for instance, the juvenile Damselfish. When threatened by predators, this marine marvel shrinks its eyes and grows a large spot on its tail to look like an eye. Having such a decoy deceives anything wishing to dine on the Damselfish into attacking the tail rather than the head. The fish can then swim off to safety while at the same time circumventing its demise. Similar forms of cunningness can also be seen with butterfly fish, octopus, chameleons, and tree frogs, which are all adept at using various forms of camouflage as a defense against predators.
In cyber deception, decoys and lures offer similar benefits in their use of camouflage to keep corporate networks and their information safe. This creates an advantage that other security tools cannot do. By hiding in plain sight, attackers can be tricked and derailed, causing adversaries to make mistakes and turning the tables on those that try to infiltrate systems.
Deceiving the deceiver
Cyber deception defense tactics protect a network by convincing a cybercriminal that they are accessing the actual network, when in fact they are wandering aimlessly through a virtual “hall of mirrors”.
This starts by providing the in-network attacker with attractive targets that replicate the look, feel, and behavior of the actual network. This is done through the use of decoy networks, which are based on the same operating systems, applications, and identities of the production systems. Placing attractive “breadcrumbs” based on credentials and mapped drives will also proactively and quickly lure the attacker into the deception environment. So too is populating the decoy with recent, seemingly valuable, content that the attacker would expect to find. Being attractive is important, but it must also be balanced with authenticity. As such, decoy networks should not be too obvious or easy to infiltrate or attackers will promptly identify them as fakes and avoid them.
A well-designed decoy network will not only reduce risk by detecting threats early but will also benefit the defender with intelligence they could not gather elsewhere. This can be used to reduce response time down from hours to minutes and can provide a competitive advantage by using this information to fortify defenses. Whether the motivation is in the fidelity of the detection or in the desire to gather adversary intelligence and forensics, deception is providing a unique offering and one that the adversary is not often expecting or prepared for.