emerged with this innovation, one based on network decoys, and the other based on placing
“breadcrumbs” at the endpoint. Both have merit when applied against the cyber kill chain.
Once an attacker compromises the initial system, they want to move laterally to the next system by
stealing credentials, accessing mapped drives, or conducting reconnaissance to understand how to get
closer to their target. Deceptions placed on the endpoint entice an attacker to unknowingly take deceptive
credentials or follow mapped drive shares into a deceptive engagement server. Decoys designed to
match production assets confuse and misdirect attackers as they attempt to scan the network or detonate
malware. Deploying both forms of deception provides the most comprehensive fabric to detect all forms
of attacks. Value is also achieved by preventing lateral movement, creation of back doors, establishment
of C2C connections, obtaining credentials, cracking stored hashes, finding critical systems or data, and
identifying Active Directory domain admin accounts, to name a few.
The change in strategic approach addressed a primary misconception related to deception providing
value. Deception technology is no longer limited to research; its primary function is now centered on
providing detection early and throughout the attack lifecycle.
The second common misconception is that this technology is difficult to manage. With honeypots and
honeynets, it could take a week or more to set up the deception environment. It was anything but simple
and required skilled staff and lots of maintenance time. Modern deception technology innovation includes
machine-learning that automatically prepares, deploys, and manages deceptions. It has made operating
deception technology extremely simple. Out-of-the-box operation can be achieved within an hour based
on using a wide variety of included campaign templates. This is perfect for organizations with limited skill
sets and time, or who are not the target of highly sophisticated attackers. A defender protecting against
nation-state attacks or extremely sophisticated threat actors will want to use advanced deceptions. This
is done by placing the exact same software used in production onto the decoy so that it mirror-matches
the real assets. Integration with Active Directory and DNS also provides verifications for authenticity.
Customization may sound complicated, but deceptions can be projected in a way that does not require
each decoy’s software to be maintained separately, and deceptions at the endpoint are deployed without
the use of an agent. The greatest time is invested on the company deciding what deception strategy they
wish to use. For example, is this just for high-fidelity detection? Do they wish to collect adversary
intelligence and forensics? Do they want to engage with the attacker to gain knowledge for pre-emptive
defenses?
This leads to addressing the third common misconception that the value of deception is too limited or
only applicable for large organizations. The majority of our customers are purchasing deception for the
specific use case of post-compromise threat detection. They are choosing deception as their primary
detection mechanism because it allows them to detect attacks early and provides them with high-fidelity
alerts. With deception they have achieved accurate detection for known and new sophisticated threats.