Deception technology is a cybersecurity defense practice that aims to deceive attackers by distributing a collection of traps and decoys across a system's infrastructure to imitate genuine assets. If an intruder triggers a decoy, then the server will log and monitor the attack vectors utilized throughout the duration of the engagement.
As attack vectors become increasingly complex, organizations need to be able to detect suspicious activity earlier in the attack chain and respond accordingly. Deception technology provides security teams with a number of tactics and resulting benefits to help:
In incident detection and response, time and context are crucial. And yet many detection solutions wait until critical assets have been compromised to send an alert, while others—like those that only analyze log and network data—can’t provide important details, such as how the attacker got in, or where they're headed next. Kind of makes planning a response, well, pretty darn impossible.
InsightIDR, Rapid7’s incident detection and response solution, can help close these gaps in detection. How? By making attackers an offer they can’t refuse. Leveraging cutting-edge deception technology powered by a deep understanding of attacker behavior, InsightIDR sets irresistible traps to draw out malicious behavior earlier in the attack chain and buy your team the time and insight needed to respond effectively.
Pick your poison: InsightIDR offers four types of intruder traps to detect attackers earlier during network recon and lateral movement—before critical data is stolen. All four – honeypots, honey users, honey credentials, and honey files – are quick to set up and built using continuous attacker research from the Metasploit project, as well as our pen-testers and 24/7 Security Operations Center (SOC). And since InsightIDR combines this deception technology with user behavior analytics (UBA) and endpoint detection, you can be sure it will detect intruders across the entire attack chain.
When an attacker first lands on your network, it's a beautiful thing. Why? It’s one of the rare moments you actually have the upper hand. And InsightIDR’s honeypots can help you make the most of it. Here’s how it works: Attackers use internal reconnaissance, such as network scans, to determine where to laterally move next. Honeypots, decoy machines/servers set to listen on the network, detect the use of nMap and other scanning tools to alert you to an attacker’s presence. Traditionally, honeypots have been difficult to set up and centrally manage, but with InsightIDR, it’s easy to deploy one or multiple across your network.
Once an attacker has internal access to your network, they’ll likely try a vertical bruteforce, querying Active Directory to see the full list of users and try a small number of commonly used passwords across those accounts. Would your monitoring solution detect this today? InsightIDR helps detect password guessing attempts by enabling you to define a honey user, such as PatchAdmin, and get alerted on any authentications to that decoy account.
Once an attacker compromises an endpoint, they can extract password hashes and even cleartext credentials, no outside malware required. While endpoint detection and response solutions may be able to identify privilege escalation and other malicious exploits, the question remains: What did the attacker do from there? InsightIDR not only provides real-time endpoint detection, but also injects fake honey credentials on your endpoints to deceive attackers. If this credential is used anywhere else on the network, such as with pass-the-hash, you’ll be automatically alerted.
Once an attacker has access to confidential materials, the next step is getting it off the network—typically by zipping and copying the files to an external drop server or stolen cloud storage account. As this exfiltration often goes over HTTP/HTTPS, it’s difficult to detect with firewalls and existing monitoring solutions. With InsightIDR, you can specify a honey file in a critical directory. All actions taken on this file – including opening, editing, and copying – are monitored, giving you file-level visibility without the effort of deploying a standalone File Integrity Monitoring solution.
InsightIDR offers four types of intruder traps to detect attackers earlier during network recon and lateral movement, before critical data is stolen. All four—honeypots, honey users, honey credentials, and honey files—are quick to set up and are built from continuous attacker research from the Metasploit project.