decezione informatica Piergiorgio Venuti

Deception: what it is, how it works and why it is essential for cybersecurity

Estimated reading time: 6 minutes

Deception: what is it and what is it for?

Cyberdeception, also known as “decemption“, is an emerging cybersecurity technique that is increasingly popular among companies. In this article we will see in detail what it is, how it works and what advantages it offers for protection against advanced cyber threats.

What is deception?

Cyberdeception or “decemption” is the deliberate distribution of false information within a system to deceive a potential attacker. The goal is to confuse and distract the cybercriminal, making him waste precious time and hindering his activity.

It is a proactive cyber defense technique that allows you to trace and study the behavior of the intrusion, to then respond and neutralize the threat. The principle is to mislead the hacker, exploiting social engineering techniques in reverse.

Instead of protecting real information, deception creates fake resources – files, networks, services – that look real. The attacker ends up hitting decoys and traps that reveal his intentions and allow him to be stopped before he reaches critical assets.

How computer science works

The implementation of the deception takes place through specific tools and technologies that allow the distribution of false information within the IT infrastructure. These fake resources are monitored for any unauthorized access attempts.

Tricky traps

Fake resources are created such as fake file servers, fake databases, fake web pages, fake directory services, fake login credentials. These traps attract the attention of the hacker who ends up wasting valuable time trying to access them.

Alarms and alerts

Each interaction with the fake resources immediately generates an alert that signals the intrusion in progress. Deception tools are able to classify the threat level and provide an automatic response.

Activity tracking

Deceptive traps allow you to monitor the attacker’s behavior in real time, gathering valuable information on the techniques used and on the objectives.

Speed of response

Once a potential intrusion has been identified, the deception platform is able to respond immediately, for example by isolating the compromised system or the suspicious IP by blocking traffic.

What advantages does computer science offer?

The use of deception techniques has several advantages to raise the level of cybersecurity of an organization:

  • Early detection of threats: Traps allow you to detect any attacks in progress early, before they reach your valuable assets.
  • Proactive protection: deception allows you to switch from a reactive to a proactive posture, deceiving the attacker and hindering his activity.
  • Analysis of attack techniques: by monitoring the traps it is possible to gather valuable information on the tactics, techniques and procedures (TTPs) of the cybercriminal.
  • Better resource allocation: Rapid detection of the threat allows you to optimize the use of resources for the response, avoiding unnecessary “treasure hunts”.
  • Effectiveness against advanced threats: the detection allows to detect and block even never seen before attacks, very sophisticated and without a signature.
  • Integration with other defenses: Deception techniques can integrate seamlessly with firewalls, antivirus, intrusion detection systems (IDS), and more.
  • Low costs: implementing deception requires a relatively low investment in economic terms, especially considering the benefits.

Use cases of deception

Deception can be effectively employed in several use cases, including:

Protection of critical assets

By creating deceptive traps around servers, databases, business critical applications, it is possible to immediately identify any targeted attacks and protect these assets.

Detection of internal attacks

Deception techniques allow you to quickly identify unauthorized access and anomalous activity by compromised internal users.

Securing OT and IoT environments

In industrial environments with industrial control systems (OT) and the Internet of Things (IoT) the decision adds an extra layer of security.

Response to advanced incidents

In the event of advanced breaches already underway, deception techniques can effectively support containment and response activities.

Cloud and virtualized environments

The dynamic and distributed nature of the cloud and virtual data centers makes security complex: deception can fill gaps and vulnerabilities.

Deception tools: Honeypot, Honeytoken, Honeyfile

Some specific tools are used to distribute false information and implement IT deception, including:

Honeypot

These are trap systems designed to attract attackers by making them believe that they are real resources of the information system. A honeypot simulates services and vulnerabilities to monitor and study attack techniques.

Honeytoken

Fake information such as bogus credentials, invalid API keys, trap passwords. They are scattered throughout the system to be monitored and detect unauthorized access.

Honeyfile

Inauthentic files placed as decoys to attract attackers and monitor their behavior. They can also contain malicious code to “infect” anyone who tries to use them without permission.

Deception: an insight into the techniques

deception

To understand in more detail the functioning of IT deception, let’s analyze some of the main techniques used.

Creating fake services

Fake services, such as a fake FTP server or a fake LDAP directory service, can be deployed on the network to attract the attacker’s attention. These will try to interact with you by revealing their intentions.

Generating false errors

During the intrusion, false error messages can be generated to confuse the attacker and induce him to waste precious time. For example a fake “file not found” or “permission denied”.

Creation of honeyfiles

As mentioned, honeyfiles are trap files designed to lure in attackers. They can be named catchy, like “password.txt” or “credit card data.xlsx”. Logging in reveals the intrusion.

Traffic mirroring

The deception platform can replicate and mirror real network traffic to confuse the attacker as to which resources are genuine.

Information camouflage

By subtly altering data such as usernames, IP addresses, domain names, it is possible to trick the hacker into making revealing mistakes.

Honeytokens in technology stacks

Honeytokens can be introduced into various layers of the technology stack: fake user accounts, fake API keys, invalid cloud credentials.

Decoy document injection

It consists of introducing decoys into systems in the form of false documents containing malicious code. Running the code helps detect and track the intrusion.

Dynamic deception

Deception techniques can be applied dynamically by continuously changing the attack surface to confuse the opponent.

Conclusion: why deception is critical today

In a constantly evolving threat landscape, with increasingly sophisticated attacks, perimeter protection alone is no longer enough. Cyber awareness represents a new indispensable level of defense.

By proactively deceiving adversaries, intrusions can be detected early and responded to quickly, before damage occurs. Deception tools allow you to acquire superior threat intelligence on the enemy to adapt your defenses.

The Active Defense Deception service of the Secure Online Desktop, integrating deception techniques with threat hunting and threat intelligence, can significantly raise the level of security of a company against the most advanced threats.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • Stored XSS in "Edit Profile" - htmlyv2.9.9 September 19, 2024
    Posted by Andrey Stoykov on Sep 18# Exploit Title: Stored XSS in "Edit Profile" - htmlyv2.9.9 # Date: 9/2024 # Exploit Author: Andrey Stoykov # Version: 2.9.9 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/09/friday-fun-pentest-series-11-stored-xss.html Stored XSS #1: Steps to Reproduce: 1. Login as author 2. Browse to "Edit Profile" 3. In "Content" field add […]
  • Stored XSS in "Menu Editor" - htmlyv2.9.9 September 19, 2024
    Posted by Andrey Stoykov on Sep 18# Exploit Title: Stored XSS in "Menu Editor" - htmlyv2.9.9 # Date: 9/2024 # Exploit Author: Andrey Stoykov # Version: 2.9.9 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/09/friday-fun-pentest-series-10-stored-xss.html Stored XSS #1: Steps to Reproduce: 1. Login as admin 2. Browse to "Menu Editor" 3. In "Name" field add […]
  • Backdoor.Win32.BlackAngel.13 / Unauthenticated Remote Command Execution September 19, 2024
    Posted by malvuln on Sep 18Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/d1523df44da5fd40df92602b8ded59c8.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.BlackAngel.13 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 1850. Third party adversaries who can reach an infected host can issue commands made available by […]
  • Backdoor.Win32.CCInvader.10 / Authentication Bypass September 19, 2024
    Posted by malvuln on Sep 18Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/cb86af8daa35f6977c80814ec6e40d63.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.CCInvader.10 Vulnerability: Authentication Bypass Description: The malware runs an FTP server. Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload...
  • Backdoor.Win32.Delf.yj / Information Disclosure September 19, 2024
    Posted by malvuln on Sep 18Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/f991c25f1f601cc8d14dca4737415238.txt Contact: malvuln13 () gmail com Media: x.com/malvuln Threat: Backdoor.Win32.Delf.yj Vulnerability: Information Disclosure Description: The malware listens on TCP port 8080. Third-party adversaries who can reach an infected system, can download screen captures of a victims machine by […]
  • SEC Consult blog :: Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey (CVE-2024-38014) + msiscan tool release September 17, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 16The SEC Consult Vulnerability Lab published a new blog post titled: "Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey" covering the recent Microsoft September 2024 patch for CVE-2024-38014. Blog URL: --------- https://r.sec-consult.com/msi Author: ------- Michael Baer, SEC Consult Vulnerability Lab Abstract: […]
  • Stored XSS to Account Takeover - htmlyv2.9.9 September 17, 2024
    Posted by Andrey Stoykov on Sep 16# Exploit Title: Stored XSS to Account Takeover - htmlyv2.9.9 # Date: 9/2024 # Exploit Author: Andrey Stoykov # Version: 2.9.9 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/08/friday-fun-pentest-series-9-stored-xss.html Description: - It was found that the application suffers from stored XSS - Low level user having an "author" role […]
  • APPLE-SA-09-16-2024-10 macOS Ventura 13.7 September 17, 2024
    Posted by Apple Product Security via Fulldisclosure on Sep 16APPLE-SA-09-16-2024-10 macOS Ventura 13.7 macOS Ventura 13.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/121234. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accounts Available for: macOS Ventura Impact: An app may […]
  • APPLE-SA-09-16-2024-9 macOS Sonoma 14.7 September 17, 2024
    Posted by Apple Product Security via Fulldisclosure on Sep 16APPLE-SA-09-16-2024-9 macOS Sonoma 14.7 macOS Sonoma 14.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/121247. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accounts Available for: macOS Sonoma Impact: An app may […]
  • APPLE-SA-09-16-2024-8 iOS 17.7 and iPadOS 17.7 September 17, 2024
    Posted by Apple Product Security via Fulldisclosure on Sep 16APPLE-SA-09-16-2024-8 iOS 17.7 and iPadOS 17.7 iOS 17.7 and iPadOS 17.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/121246. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: iPhone XS […]

Customers

Newsletter

{subscription_form_1}