Deception technologies offer enhanced threat hunting capability

06 July 2023

Mark Oakton, CEO/CISO, Infosec Partners

Mark Oakton, CEO/CISO, Infosec Partners

Cyber-attacks are undoubtedly becoming more sophisticated, more widespread and are proving to be more difficult to detect and defend against using traditional reactive security controls. This is forcing security teams to look for and deploy smarter threat hunting tools as a more proactive approach to protecting their network infrastructure and frustrate would be hackers.

Typically, the first that the SOC knows about an attack is when it is already in progress. If they are lucky their security platform will have done its job and blocked the attacker from breaching the first line of defence, lighting up their dashboards with alerts. However, if they are not so lucky, they are more likely to be dealing with a damage limitation situation and the consequences of unauthorised access to sensitive and valuable assets.

In recent years a new approach to cybersecurity has emerged that gives security teams the proactive tools needed to get ahead of the attackers and enhance traditional threat hunting methodologies, potentially saving expensive resources such as eliminating the time spent investigating false positives. Using advanced deception techniques designed to divert hackers away from live production environments to a decoy attack surface these tools can detect the typical tell-tale signs of an attack early in the planning and preparation stage such as attempts to access user directories and unusual lateral movements between systems.

The objective of deploying any security controls is to protect against all unauthorized access, and deception technology can be a useful added defensive layer to provide an early warning of an imminent attack or evidence of malicious activity already in progress, diverting the attacker to fake data and credentials to protect the enterprise’s real assets.

Deception technology can also provide an effective research tool function. By analyzing how cyber criminals break the security perimeter and attempt to steal what they believe to be legitimate data, security analysts can study their behavior in depth such as recording the movements of malicious actors from initial contact through to interaction with the decoy. A server logs and monitors all vectors used throughout the attack, providing valuable data that can help the IT team strengthen security and prevent similar attacks from happening in the future.

Given the obvious benefits these relatively low cost and easy to deploy deception technologies can deliver for security teams it raises the question of why are these tools not more widely deployed by more businesses and public sector bodies?

Whilst there are signs that more companies are looking at introducing a deception-based approach to cybersecurity, and most leading analysts are forecasting significant growth over the next 3 to 5 years, there are still some challenges that are restricting the rate of adoption of the technology particularly among the smaller businesses. One of the major obstacles to more widespread deployment is that to be fully effective the technology needs to be closely managed and monitored by a dedicated team of security experts, which in addition to being a prohibitively expensive resource for most IT budgets, are also in short supply.

“There is an army of hackers continually working on ways of circumventing them by firstly identifying and then bypassing the decoys, which means that the SOC needs to be equally creative.”

As with all cyber control frameworks there is an army of hackers continually working on ways of circumventing them by firstly identifying and then bypassing the decoys, which means that the SOC needs to be equally creative to ensure that the systems are obfuscated enough to delay detection long enough to give away their presence in the network as well as their motivation and intended targets to enable timely mitigating actions to be taken. In essence this means engaging with the attackers in real-time by changing elements of the decoy environment to create doubt and confusion so that they ultimately give up and move on - leaving behind useful information about themselves in the process.

To be able to operate at this level it requires a high level of expertise and experience, which is best delivered by transferring responsibility for the management of the technology to a dedicated security service supplier.

A professional managed deception technology service will enable enterprises to take full advantage of all the features and functionality it has to offer and ensure that it is correctly configured in line with the organisation’s network infrastructure and existing security controls and can be monitored on a 24/7 basis by specialist security engineers, enabling a rapid response to the first signs of malicious activity.

For enterprises as well as small businesses deception technology changes the dynamic between themselves and their attacker putting them more in control of their network security and changing from a traditional defensive security posture to a more advantageous position that puts the hacker on the back foot. As such it can benefit any size organisation, regardless of the complexity of the network environment working together with existing security controls to minimise the chances of a preliminary attack turning into a serious breach.