Nearly every week, it seems like the news reports another data breach or ransomware with data exfiltration attack. Companies need to focus on preventing incidents before they happen. However, recognising that’s not always possible, they also need a rapid incident detection strategy. Deception technology enables detection without compromising real data by using decoys or traps to trick cyber criminals into stealing fake data. Then, the technology sends high quality alerts giving security teams the ability to respond rapidly to the incident. Leveraging deception technology as part of your defense-in-depth security strategy helps improve key security metrics.
What are the data breach statistics?
Most companies know that “data breaches happen all the time.” However, there’s also a difference between “knowing” and “knowing.” When you dive into the data around breaches, the argument for detecting stolen data becomes more compelling.
According to the Sophos 2021 Threat Report:
- 97% of CEOs and CTOs agreed that the 2020 stay-at-home orders sped up their transition to cloud technologies.
- 70% of the 3,700 IT professionals surveyed claimed that their organization experienced a data breach.
According to the 2021 Data Breach Investigations Report, of 191 breaches arising from “Miscellaneous Errors”:
- 20% of respondents took “months” to discover
- 10% of respondents took “weeks” to discover
- 30% of respondents took “days” to discover
- 10% of respondents took “minutes” to discover
- Less than 5% of respondents took “seconds” to discover
In short, 60% of respondents took anywhere from “days” to “months” to discover the data breach. The longer the threat actors dwell in systems, the more data they can steal. This is why organizations need to have multiple detection strategies and technologies in place.
What is deception technology?
Security teams use deception technology for detection before or after cyber attackers gain unauthorized access to systems, networks, and software. The technology acts as a decoy that looks like legitimate assets. Often, threat actors will not notice the fake assets. This leads them to believe the attack and lateral movement went entirely undetected. Deception technology works well against zero-day attacks that might otherwise go undetected.
Examples of deception technology include fake:
- Network maps
- Network connections
- Browser histories
- Registry entries
- Systems or servers
- User accounts
- Credentials on endpoints
Why use deception technology?
Organizations should assume that external threat actors or internal malicious actors have already gained access to systems and networks or will do at some point. To protect data, they need to adopt a defense-in-depth strategy that uses different techniques and controls to prevent, detect and respond to attacks.
Deception technology is just one such control, but can be deployed widely, with the confidence that it will provide several highly valuable benefits:
- Proactive “assume breach” posture: Placing deception technology on endpoints, in Active Directory, and on the network assumes that one of these high-risk attack vectors has been, is, or will be breached.
- Reduce alert fatigue: Only threat actors will cause a deception technology to send an alert, reducing the number of false positives.
- Defend against the “human element”: Focusing on threat actors’ end goals targets their reason for engaging in the attack to mitigate the often overlooked human element involved in attacks.
- Enrich security analytics: By detecting only malicious activity, security teams can enrich their threat intelligence with more focused data.
- Prove security posture: Reducing alert noise with deception technology means that security teams can more rapidly respond to data security incidents, improving key metrics like mean time to detect (MTTD), mean time to investigate (MTTI), and mean time to respond (MTTR).
- Detect insider threats: Fake information used to trap malicious actors also provides visibility into insiders trying to access resources outside their job description.
Understanding what deception technology is and the benefits it provides can give organizations a way to enhance their security posture
How deception technology works
This is the “all squares are rectangles but not all rectangles are squares” scenario. When people hear the term “deception technology,” they often assume you mean honeypots. Originally used in the 1990s, these are the first type of deception technology devised. However, since then, deception technology has evolved to encompass many forms and uses.
Decoys are the most recognizable deception technology. These are fake systems or software that threat actors will try to attack. A honeypot is an example of a decoy. The goal of deception technology is often to “trick” threat actors into interacting with the decoy. As soon as the threat actor does this, the technology sends the security team an alert.
Breadcrumbs attract the attacker to the decoy. When the threat actors engage in their reconnaissance, they will detect the breadcrumb. Then, they follow it to the decoy endpoint or network.
Baits, also called honeytokens, are fake data or credentials that would appeal to a threat actor. The fake data or credentials are placed where real users don’t go so that any activity can be attributed only to threat actors.
A lure is the information that makes the fake data or credential attractive to threat actors. Real users will not be able to see the lures, but malicious actors will. For example, a lure might be a fake “admin” account or fabricated personal information, like email or name.
Low or High Interaction
With a low-interaction deception technology, the threat actors have little ability to interact with the decoy. Deployed as a static environment, low-interaction technologies are usually easy to deploy because their maintenance requires few resources. Problematically, the limited interaction with the threat actor also means that they’re easy for attackers to detect.
For example, a low-interaction decoy might be placing fake data in a file location that a malicious actor would find it. When the threat actor tries to interact with the data, the technology notifies the security team.
On the other hand, high-interaction decoys are often real systems that exist only to detect malicious activity. In essence, the company sets up an entire system, like a server, that looks and acts like one of the real ones. Attackers are less likely to realize it’s a decoy. While they can give a lot of insight into attacker behavior, they also require significant resources.
For example, an organization may decide to create a high-interaction honeypot that incorporates real servers, endpoints, operating systems, and applications. No one else in the organization has access to these services, meaning that only malicious actors would be interacting with it. Problematically, these require a lot of resources to maintain, and threat actors can weaponize them.
Seedata: Taking Deception Technology Beyond the Perimeter
Traditional deception technology solutions live inside an organization’s systems, networks, endpoints, and applications. These provide visibility into threat actors and reduce dwell time. However, if threat actors evade these detections, your information is available outside your network perimeter.
Seedata delivers deception technology “as-a-Service” by planting unique, trackable records within systems. Our complex rules engine starts by analyzing your systems to detect interaction with the trackable records to identify security incidents.
Most deception technologies stop there. However, Seedata monitors the surface, deep, and dark web for indicators that the data has been exposed. We extend our capabilities beyond your systems and networks, taking deception technology beyond the traditional perimeter and enhancing investigations with actionable threat intelligence.