Organizations are also using deception across all environments they are seeking to protect, including
datacenters, user networks, infrastructure, and environments like cloud, IoT, Medical IoT, and OT
interconnected devices that require new approaches to secure. Customer use of deception-based
detection spans across visibility to malicious threat actor activity as well as policy violations and
misconfigurations from insiders and suppliers that create risk.
Another little-known benefit that is also attracting customers to deception technology is the ability to
gather adversary intelligence and forensics and to gain visibility into exposed attack paths. Most detection
tools only detect an attack. This leaves defenders at a disadvantage as the attacker gains intelligence
with every attempt while the defender typically does not. A high-interaction deception environment
gathers TTPs, IOCs, attacker movement, and forensic information. This automated collection and
collation of information arms the defender with insight that is typically lost and with details needed to
confidently take action. Unlike other tools that generate false positives, these alerts are substantiated
and save security teams countless hours in responding to threats. Additionally, given the quality of the
alerts, automation can be turned on. This can be manually triggered in the UI or fully-automated to block,
isolate, or threat hunt based on native integrations with prevention and threat orchestration tools.
Organizations of all sizes and staffing levels can take advantage of deception for accurate detection and
faster incident response. This will be appealing to most; however, those with mature infrastructure and
teams can also do more with the platform. Advanced features can include high-interaction application
and data deceptions, decoy documents to gather counterintelligence on what an attacker is after, and
opening up C2C ports to gather intelligence on items like polymorphic activity.
To sum it all up, the primary use case for deception is detection. Value is derived from accurately
detecting known and sophisticated attacks across all critical attack surfaces and in the fidelity of the alert.
Complexity, as well as the belief that this is only for mature organizations, are misapplied to deception
platforms. Cyber criminals do not want anyone to believe this is a good technology to adopt because it
truly makes their jobs more difficult as they must now decipher real from fake, their attacks are slowed,
and as a result, the economics for the attack become unattractive.
Still not sure about deception? Ask a Red Team that has had to navigate deception during their testing.
It’s hard to say if they will be forthright in admitting being caught, but I am confident they will say it adds
complexity and slows them down. Ask a Blue team, and you will find some of deception’s best advocates.