Deception Technologies: Improving Incident Detection and Response by Alex Vakulov

According to the M-Trends 2021 report by FireEye, the median time for an attacker to remain unnoticed in an enterprise's infrastructure is 24 days. This is enough to identify the weakest points in the infrastructure, gain access, and escalate the attack. It would be a mistake to say that the business owners are not taking steps to protect their assets and data. As per the Ponemon Institute, on average, companies use 47 different cybersecurity solutions and technologies. How effective are these security solutions in times of digital transformation?

Advanced firewalls are becoming vulnerable as the company perimeter is eroded by the adoption of cloud technologies and remote access. Security event monitoring is less effective if the enterprise infrastructure includes a huge array of information assets that generates a large number of false positives. This method requires substantial financial costs and qualified specialists to analyze and identify actual cyber incidents systematically.

Ahead of the curve

The principle of Deception technology was laid down more than twenty years ago by the first network of honeypots. These special computer systems were created to mimic the likely targets of an attacker. Initially, they were used to detect keyloggers and other viruses and evaluate their propagation. However, modern Deception platforms have gone far beyond the usual traps for hackers.

Interest in Deception platforms has grown significantly over the past five years. Still, many customers identify such tools as honeypots. However, honeypots have significant limitations: a narrower scope, difficulties with masking, and the need for constant improvement. Unlike honeypots, Deception tools redirect the attacker to a controlled environment isolated from the production environment.

There are several options for building decoys here. The first method does not require granting local or domain administrator rights. It is focused on the built-in tools offered by operating systems like Group Policies, System Center Configuration Manager, Mobile Device Management, or, for example, using a third-party solution agent. The second method involves granting local administrator rights at the time of distribution. As a result of the implementation of this task, the privileges can be quickly revoked. The third method involves integration with the Local Administrator Password Solution (LAPS).

Today, you can find Deception solutions that use an agent to distribute baits, as well as those that do without it. Some experts believe the latter type is preferable as it does not involve additional load on the infrastructure (but of course, it depends on the pricing and your infrastructure configuration).

The typical Deception platform includes a management server and a decoy server. All traffic between these components is encrypted. Interaction occurs in one direction, from the decoy server to the management server, providing the ability to deploy decoy servers in protected network segments. One or two virtual servers are required to install the solution.

Identifying unknown attack vectors 

When developing an information security strategy, it is necessary to take into account today's cyber attack trends. If someone really wants to hack you, he will definitely do it. Cybercriminals often have all the financial and technological resources to attack your infrastructure, or they may have enough time to study it and find vulnerabilities that will allow them to penetrate the company's perimeter. So, the critical tasks of information security teams include:

  • Reduction of average incident detection and response time.
  • Minimization of financial and reputational costs as a result of a security incident.

Many threat detection systems are based on the principles of modeling malicious behavior and looking for matches or standard behavior and looking for deviations. They become less effective in the case of complex and previously unknown attacks. Still, modern Deception solutions make it possible to identify unknown attack vectors. 

Early detection of illegitimate actions

Deception platforms allow you to create an autonomous virtual environment, which will consist of various false data: databases, servers, configuration files, saved passwords, accounts, etc. They are automatically distributed among the existing information systems of the company. If any endpoint attempts to access any of these assets, it is likely that it has been compromised as there is no legal\logical basis for such activity. Notifications are instantly sent to a centralized server that marks the affected honeypot and records the attack vectors used by cybercriminals. Deception technology tools help detect intruders in the early stages of an attack, which is key to minimizing damage.

Preventing lateral movement

Using compromised user accounts, an attacker can infiltrate a corporate network, escalate privileges, and attempt to move further inside the network. At the stage of internal movement, an attacker may encounter false assets, upon interaction with which a warning will be sent to security specialists. Deception technology allows you to create data that is most attractive to an attacker in order to prompt him to interact with it and continue his movement already inside an isolated environment.

Improving SOC efficiency

False data pieces are indicators for internal monitoring systems that help reduce false positives. Integrating a Deception platform with a SIEM system enables you to make response and monitoring more efficient. Since the platform guarantees a low percentage of false positives, it saves the security operations center’s (SOC) resources and improves the accuracy of its work.

Real-time forensics

Modern Deception platforms can aggregate forensic data, including indicators of compromise, attacker tactics, methods, and procedures. This allows organizations to be one step ahead by obtaining a complete picture of the attacker's logic and modus operandi. Information obtained from identified security incidents allows you to create a more comprehensive map of the most popular attack vectors specific to your organization.

VDI support

Support for virtual desktop infrastructure (VDI) is an important part of Deception platforms. The high demand for VDI is driven by such trends as employee mobility and the hybrid home-office model. 

The VDI migration process entails serious risks in terms of information security, such as:

  • Expansion of the cyber-attack perimeter where a compromise of one device can discredit the entire VDI environment.
  • Problems with ensuring the cybersecurity of a large number of copies of operating systems.
  • Problems with implementation of protection measures specific to VDI. For example, the implementation of a resource-intensive security solution (classic agent-based protection tools) can lead to a decrease in the consolidation ratio of virtual machines or cause delays in the loading and work of operating systems.

Thus, the transition to the WFH and other hybrid models requires not only careful organizational measures from cybersecurity teams but also a thoughtful analysis when choosing cybersecurity solutions. In a VDI environment, protection tools should have the least possible impact on the infrastructure. Such things as shorter waiting times for applications to start result in increased productivity for employees. This is especially critical for big companies. 

Developers of Deception tools are constantly expanding the number of honeypots and ways to spread them. Such platforms carefully analyze the behavior pattern of each user. Regardless of the configuration of the protected host (it can be an accountant's computer, a database server, or a developer's laptop), the system will pick up honeypots to match the software used on this host.


An enterprise that uses Deception technology in its cybersecurity strategy can provide a higher level of protection for the entire corporate network and its most critical segments, as well as improve the average time needed to detect and respond to incidents. 

Using this technology significantly reduces the burden on cybersecurity professionals by minimizing the number of false positives, providing highly accurate indicators, and reducing the amount of useless alert traffic.

A recurring problem that is regularly faced is the gradual transformation of a product with specialized functionality into a universal harvester. Often a vendor that has created a small successful product to solve a specific problem begins to grow it and adds non-critical functionality. It is important to find a balance and not allow you and the vendor to turn it into a monster with a lot of abstract functions that will be duplicated by other security solutions.



Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.







August 29, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
2 months ago

Site name please 😅😂😂😂😂

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013