Deception technology is a category of incident detection and response technology that helps security teams detect, analyze, and defend against advanced threats by enticing attackers to interact with false IT assets deployed within your network. The deception approach can give you high-fidelity alerts around specific malicious behaviors, many of which are challenging to identify by log analysis or a SIEM tool alone. The benefit: You can identify suspicious activity early in an attack chain, as well as confuse and misdirect an adversary on your internal network. This page will give an overview of deception technology and dive into three examples: honeypots, honey users, and honey credentials.
Whether you want to picture deception technology as a worm dangling on a fish hook, a chunk of cheddar hidden in a mousetrap, or the notes of an enticing siren song luring sailors to their death, the message is the same: Deception technology is bait. By setting irresistible traps that appear to be legitimate IT assets, it entices attackers on your internal network to interact with them, triggering an alert and giving your team the time, insight, and context they need to respond effectively. Because no one within your organization needs to interact with deception technology as part of their job, any activity it records is automatically suspicious. Therefore, a key benefit of deception technology is high-fidelity alerts that identify very specific malicious behaviors.
Deception technology can reduce attacker dwell time on your network, speed up mean time to detect and remediate, reduce alert fatigue, and provide vital information around indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
Deception technology can help detect the following types of threats:
For deception technology to be effective, it has to appear legitimate enough to trick a sophisticated attacker, while neatly folding into your existing threat detection strategy. Ideally, the deception technology is easy to deploy, automatically updates as needed, and can feed generated alerts right into your security information and event management (SIEM) platform.
Here are a few specific examples of deception technology:
Honeypots are decoy systems or servers that are deployed alongside production systems within your network. They can look like any other machine on the network or be deployed to look like something an attacker could target. There are many applications and use cases for honeypots, as they work to divert malicious traffic away from important systems, identify anomalous network scans, and reveal information about attackers and their methods.
In terms of objectives, there are two types of honeypots. Research honeypots gather information about attacks and are used specifically for studying malicious behavior out in the wild. Looking at both your environment and the wider world, they gather information on attacker trends, malware strains, and vulnerabilities that are actively being targeted by adversaries. This can inform your preventive defenses, patch prioritization, and future investments.
Production honeypots, deployed on your network, help reveal internal compromise across your environment and gives your team more time to respond. Information gathering is still a priority, as honeypots give you additional monitoring opportunities and fill in common detection gaps around identifying network scans and lateral movement.
Straightforward and low-maintenance, honeypots help you break an attack chain and slow adversaries down with high-fidelity alerts and contextual information. Interested in learning more about honeypots? Check out our page on honeypot technology.
Honey users are fake user accounts, usually deployed within Active Directory, that detect and alert on password-guessing attempts from malicious actors. Once an attacker has internal access to your network, they’ll likely try a vertical brute-force attack. This consists of querying Active Directory to enumerate employee accounts and trying a small number of commonly used passwords across those accounts. By defining and monitoring a honey user—an account with no business purposes—you can easily identify this stealthy password guessing technique.
Attackers will be more likely to go after accounts with a juicy (yet believable) description, so naming it “PatchAdmin” or something similar can help bait them into interacting with it. It’s important to note that this dummy user account should not be associated with a real person within your organization and should never be used for any valid authentication.
Once an attacker compromises an endpoint, they will typically harvest passwords from the asset and try them elsewhere to access other resources on your network. Honey credentials help combat this technique by serving as fake credentials injected onto the endpoint. If authentication is attempted with the honey credential, an alert is generated. Regardless of whether a user attempts to log in to an asset with a honey credential or is attempting to use the honey credential to pivot to another endpoint, these credentials don’t actually grant access to any systems, so they are very safe to use.
Honey credentials also show a clear trail of an intruder moving laterally across your network—think of it like banks placing exploding dye packs in money bags to mark the money and identify it later.