decezione informatica Piergiorgio Venuti

Deception: what it is, how it works and why it is essential for cybersecurity

Estimated reading time: 6 minutes

Deception: what is it and what is it for?

Cyberdeception, also known as “decemption“, is an emerging cybersecurity technique that is increasingly popular among companies. In this article we will see in detail what it is, how it works and what advantages it offers for protection against advanced cyber threats.

What is deception?

Cyberdeception or “decemption” is the deliberate distribution of false information within a system to deceive a potential attacker. The goal is to confuse and distract the cybercriminal, making him waste precious time and hindering his activity.

It is a proactive cyber defense technique that allows you to trace and study the behavior of the intrusion, to then respond and neutralize the threat. The principle is to mislead the hacker, exploiting social engineering techniques in reverse.

Instead of protecting real information, deception creates fake resources – files, networks, services – that look real. The attacker ends up hitting decoys and traps that reveal his intentions and allow him to be stopped before he reaches critical assets.

How computer science works

The implementation of the deception takes place through specific tools and technologies that allow the distribution of false information within the IT infrastructure. These fake resources are monitored for any unauthorized access attempts.

Tricky traps

Fake resources are created such as fake file servers, fake databases, fake web pages, fake directory services, fake login credentials. These traps attract the attention of the hacker who ends up wasting valuable time trying to access them.

Alarms and alerts

Each interaction with the fake resources immediately generates an alert that signals the intrusion in progress. Deception tools are able to classify the threat level and provide an automatic response.

Activity tracking

Deceptive traps allow you to monitor the attacker’s behavior in real time, gathering valuable information on the techniques used and on the objectives.

Speed of response

Once a potential intrusion has been identified, the deception platform is able to respond immediately, for example by isolating the compromised system or the suspicious IP by blocking traffic.

What advantages does computer science offer?

The use of deception techniques has several advantages to raise the level of cybersecurity of an organization:

  • Early detection of threats: Traps allow you to detect any attacks in progress early, before they reach your valuable assets.
  • Proactive protection: deception allows you to switch from a reactive to a proactive posture, deceiving the attacker and hindering his activity.
  • Analysis of attack techniques: by monitoring the traps it is possible to gather valuable information on the tactics, techniques and procedures (TTPs) of the cybercriminal.
  • Better resource allocation: Rapid detection of the threat allows you to optimize the use of resources for the response, avoiding unnecessary “treasure hunts”.
  • Effectiveness against advanced threats: the detection allows to detect and block even never seen before attacks, very sophisticated and without a signature.
  • Integration with other defenses: Deception techniques can integrate seamlessly with firewalls, antivirus, intrusion detection systems (IDS), and more.
  • Low costs: implementing deception requires a relatively low investment in economic terms, especially considering the benefits.

Use cases of deception

Deception can be effectively employed in several use cases, including:

Protection of critical assets

By creating deceptive traps around servers, databases, business critical applications, it is possible to immediately identify any targeted attacks and protect these assets.

Detection of internal attacks

Deception techniques allow you to quickly identify unauthorized access and anomalous activity by compromised internal users.

Securing OT and IoT environments

In industrial environments with industrial control systems (OT) and the Internet of Things (IoT) the decision adds an extra layer of security.

Response to advanced incidents

In the event of advanced breaches already underway, deception techniques can effectively support containment and response activities.

Cloud and virtualized environments

The dynamic and distributed nature of the cloud and virtual data centers makes security complex: deception can fill gaps and vulnerabilities.

Deception tools: Honeypot, Honeytoken, Honeyfile

Some specific tools are used to distribute false information and implement IT deception, including:

Honeypot

These are trap systems designed to attract attackers by making them believe that they are real resources of the information system. A honeypot simulates services and vulnerabilities to monitor and study attack techniques.

Honeytoken

Fake information such as bogus credentials, invalid API keys, trap passwords. They are scattered throughout the system to be monitored and detect unauthorized access.

Honeyfile

Inauthentic files placed as decoys to attract attackers and monitor their behavior. They can also contain malicious code to “infect” anyone who tries to use them without permission.

Deception: an insight into the techniques

deception

To understand in more detail the functioning of IT deception, let’s analyze some of the main techniques used.

Creating fake services

Fake services, such as a fake FTP server or a fake LDAP directory service, can be deployed on the network to attract the attacker’s attention. These will try to interact with you by revealing their intentions.

Generating false errors

During the intrusion, false error messages can be generated to confuse the attacker and induce him to waste precious time. For example a fake “file not found” or “permission denied”.

Creation of honeyfiles

As mentioned, honeyfiles are trap files designed to lure in attackers. They can be named catchy, like “password.txt” or “credit card data.xlsx”. Logging in reveals the intrusion.

Traffic mirroring

The deception platform can replicate and mirror real network traffic to confuse the attacker as to which resources are genuine.

Information camouflage

By subtly altering data such as usernames, IP addresses, domain names, it is possible to trick the hacker into making revealing mistakes.

Honeytokens in technology stacks

Honeytokens can be introduced into various layers of the technology stack: fake user accounts, fake API keys, invalid cloud credentials.

Decoy document injection

It consists of introducing decoys into systems in the form of false documents containing malicious code. Running the code helps detect and track the intrusion.

Dynamic deception

Deception techniques can be applied dynamically by continuously changing the attack surface to confuse the opponent.

Conclusion: why deception is critical today

In a constantly evolving threat landscape, with increasingly sophisticated attacks, perimeter protection alone is no longer enough. Cyber awareness represents a new indispensable level of defense.

By proactively deceiving adversaries, intrusions can be detected early and responded to quickly, before damage occurs. Deception tools allow you to acquire superior threat intelligence on the enemy to adapt your defenses.

The Active Defense Deception service of the Secure Online Desktop, integrating deception techniques with threat hunting and threat intelligence, can significantly raise the level of security of a company against the most advanced threats.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • BACKDOOR.WIN32.DUMADOR.C / Remote Stack Buffer Overflow (SEH) April 19, 2024
    Posted by malvuln on Apr 19Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Dumador.c Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially […]
  • SEC Consult SA-20240418-0 :: Broken authorization in Dreamehome app April 19, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 19SEC Consult Vulnerability Lab Security Advisory < 20240418-0 > ======================================================================= title: Broken authorization product: Dreamehome app vulnerable version:
  • MindManager 23 - full disclosure April 19, 2024
    Posted by Pawel Karwowski via Fulldisclosure on Apr 19Resending! Thank you for your efforts. GitHub - pawlokk/mindmanager-poc: public disclosure Affected application: MindManager23_setup.exe Platform: Windows Issue: Local Privilege Escalation via MSI installer Repair Mode (EXE hijacking race condition) Discovered and reported by: Pawel Karwowski and Julian Horoszkiewicz (Eviden Red Team) Proposed mitigation:...
  • CVE-2024-31705 April 14, 2024
    Posted by V3locidad on Apr 14CVE ID: CVE-2024-31705 Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface Affected Product : GLPI - 10.X.X and last version Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. […]
  • SEC Consult SA-20240411-0 :: Database Passwords in Server Response in Amazon AWS Glue April 14, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 14SEC Consult Vulnerability Lab Security Advisory < 20240411-0 > ======================================================================= title: Database Passwords in Server Response product: Amazon AWS Glue vulnerable version: until 2024-02-23 fixed version: as of 2024-02-23 CVE number: - impact: medium homepage: https://aws.amazon.com/glue/ found:...
  • [KIS-2024-03] Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability April 11, 2024
    Posted by Egidio Romano on Apr 10------------------------------------------------------------------------------ Invision Community
  • [KIS-2024-02] Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability April 11, 2024
    Posted by Egidio Romano on Apr 10-------------------------------------------------------------------- Invision Community
  • Multiple Issues in concretecmsv9.2.7 April 11, 2024
    Posted by Andrey Stoykov on Apr 10# Exploit Title: Multiple Web Flaws in concretecmsv9.2.7 # Date: 4/2024 # Exploit Author: Andrey Stoykov # Version: 9.2.7 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com Verbose Error Message - Stack Trace: 1. Directly browse to edit profile page 2. Error should come up with verbose stack trace […]
  • OXAS-ADV-2024-0001: OX App Suite Security Advisory April 11, 2024
    Posted by Martin Heiland via Fulldisclosure on Apr 10Dear subscribers, We&apos;re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html. […]
  • Trojan.Win32.Razy.abc / Insecure Permissions (In memory IPC) April 11, 2024
    Posted by malvuln on Apr 10Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/0eb4a9089d3f7cf431d6547db3b9484d.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Trojan.Win32.Razy.abc Vulnerability: Insecure Permissions (In memory IPC) Family: Razy Type: PE32 MD5: 0eb4a9089d3f7cf431d6547db3b9484d SHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098 Vuln ID: MVID-2024-0678...

Customers

Newsletter

{subscription_form_1}