The massive increase in cyber attacks worldwide has widely increased over the past decade. Hundreds of cybersecurity incidents have made headline news with attackers turning to novel techniques to craft sophisticated malware, tools, techniques, and procedures to surpass the existing security controls. This type of attack is referred to today as Advanced Persistent Threat (APT). The main challenge with APTs besides their complexity is the Dwell time, which is the amount of time spent by adversaries inside the target network without being detected. According to the M-Trends 2020 report , the average dwell time in the EMEA region is 54 days.
The inherent complexity of APTs comes as a result of the fact that the adversaries, besides using zero-day malware and exploits to penetrate the network, are using legitimate tools inside the network to maintain their presence and perform lateral moving activities. The usage of legitimate tools leads to increased detection complexity, as the tools utilized by adversaries are legitimate and cannot be blocked due to business needs.
Dynamic deception is an emerging category of cybersecurity defense mechanisms used to detect sophisticated APT attacks. In dynamic deception, the system works on building a honey-component inside the production network by deploying fake assets (e.g., honeypots, honeytokens, honey documents, etc.). These honey-components should have a certain level of authenticity that makes them indistinguishable by adversaries from other legitimate resources. The honey-component’s goal is to misdirect the adversaries, luring them into these systems. Dynamic deception usually works as a complement to other cybersecurity controls in place to augment the existing security infrastructure. The technology is mainly designed to act as a post-breach detection tool that is designed to detect adversaries while they are attempting their activities inside the network. There is no need to know the malware before being able to detect it because dynamic deception is not a pattern-based solution. It operates sophisticatedly by deploying honey-components like honeypots, honey-credentials, honey-tokens, honey-cookies, honey-shares, honey-drives, honey-folders, honey-URLs, and honey-documents inside the network, making them possible targets for the adversary.
The deployment model of the dynamic deception systems as a passive element in the network, this introduces zero impact on the. On the other hand, it is not installed inline, which means they cause zero delays on the network. The honey components installed are designed and customized in a way that makes them look identical to production network components making the system authentic and unidentifiable. In this case, these honey components will act as possible targets for the adversaries.
Adversaries are effectively engaged by dynamic deception technology-based solutions anywhere across the enterprise network–clients, servers, and services. As attackers look for high-value assets (Crown jewels), they scan the Cyber Deception and Response Platform as part of the network. Once a scan, probe, or ping occurs, the Cyber Deception and Response Platform will immediately alert of suspicious activity.
Dynamic Deception technology-based solutions bring a much needed addition to traditional prevention security solutions. These are based on known attack signatures, and therefore, cannot by design, reliably detect zero-day signature-less attacks, address the use of stolen employee credentials, or effectively protect against ransomware and spear-phishing campaigns.
As a seamless and non-disruptive addition to existing security infrastructures, Cyber Deception-based threat detection closes the gap on security vulnerabilities. It provides a critical line of defense for detecting attackers before they have time to complete their attack and cause a data breach or harmful doings to the critical infrastructure.
The Cyber Deception and Response Platforms have created a new class of deception-based threat detection that elevates the game against attackers. The Cyber Deception and Response Platforms are recognized for their comprehensive network and endpoint-based deception. They turn user networks, data centers, cloud, remote offices, and even specialty environments such as IoT, ICS-SCADA, point-of-sale, telecom, and network infrastructure systems into traps and a “hall of mirrors” environment that will confuse, misdirect, and reveal the presence of attackers.
As a result, Dynamic Deception technology based solutions can be the missing piece in security controls to bridge the detection gap inside the network and provide the required visibility and forensics information needed to take proper action while the fight against cyber-attacks continues.