prevent attackers from leaving backdoors
and facilitating an easy return.
Threat actors start with an upper-
hand since they control the time to
plan and initiate their attacks. The
victims must then instantly respond to
defend themselves, often with minimal
knowledge to react. However, by
taking a page out of a cybercriminal’s
handbook, organisations do not have to
be stuck in the role of a passive target.
Many of the same techniques routinely
used in cyberattacks can be reversed
to trick adversaries into not only
revealing their presence, but also giving
away their secrets.
Much like the use of deceptive
manoeuvres and decoy targets
throughout military history, organisations
can create a deception fabric to confuse
and fool attackers into making mistakes.
When decoys are well constructed,
the adversary will have an extremely
difficult and time-consuming job trying
to decipher real from fake. This not only
efficiently diverts them away from the
real target, but will also cause them to
play their hand, revealing clues about
their intent and identity.
There are a number of key factors that
will determine a decoy network’s ability
to reliably trick and disrupt adversaries.
The first step is to make it an attractive
target which gives every sign of being
genuine. It needs to mirror-match the
production environment, running the
same operating systems and services,
and demonstrating the same network
characteristics. Additionally, it also
needs to encompass all attack surfaces
such as user networks, endpoints, cloud,
infrastructure, IoT and ICS-SCADA,
Alongside this, the deceptive solution
must also be easy for the organisation
to deploy and operate, with a high
degree of automation. Value will also be
Carolyn Crandall, Chief Deception Officer at
found in the high fidelity, engagement-
based alerts which security teams can
efficiently respond to. Collectively, these
innovations keep operational overhead
to a minimum, even at scale.
The principle of decoy networks has
previously been seen in the form
of honeypots. However, given their
operational complexity, their use is
primarily for research. These are
typically placed outside of the real
network to discover who is targeting
the organisation and for intelligence
on attacker techniques. Honeypots
were not designed for the detection of
sophisticated attackers or for scalability,
which dramatically limited their
deployment and usefulness.
The development of modern,
commercial-grade deception technology
emphasises scalability, authenticity and
a high degree of automation, enabling
it to be easily deployed and operated
across everything from user networks
to cloud data centres to specialised
operational technology environments.
Falling into the trap
Older honeypots do not hold up to
close inspection and are generally
only effective at gathering intelligence
on low-level attackers, particularly
those using automated bots to scan
for potential targets. Newer deception
technology platforms also take
deception further by incorporating
deceptive credentials, mapped drives
and other lures placed on endpoint
devices to entice the attacker into
taking bait and revealing themselves.
The presence of deception networks and
endpoint lures make it far more difficult
for an attacker to navigate the network
as they are unable to tell the difference
between real assets and elaborate fakes.
Even the simplest error can land them in
a decoy network and force the restart of
their attack. This provides an extremely
effective and useful additional layer of
defence against intruders who have
managed to infiltrate the network.
Every second counts during a
cyberattack and the maze of traps and