Ask any cybersecurity professional to define deception technology and they’ll likely talk about honeypots or honeynets. This is accurate but antiquated, as is the misconception that deception technology is complex, has limited use cases, and is only useful for security researchers.
Modern deception technology overcomes historical complexity using analytics and automation. Once installed, deception technology scans the network, takes an inventory of assets, and then recommends different types of deception decoys/lures that emulate servers, files, network segments, or valuable services (think Active Directory, for example). Suddenly, a network with around 1,000 nodes will look like it has 10,000+ nodes, making network reconnaissance and lateral movement much more difficult for cyberadversaries.
Expanding use cases
While honeypots/honeynets were mainly used by academics, researchers, and for threat analysis, modern deception technology is used effectively for threat detection and response. Security teams use deception technology to create decoy accounts (e.g., privileged users), assets (e.g., IoT/OT devices), or data (e.g., sensitive data repositories) across their networks. When bad guys poke around looking to advance a cyberattack or exfiltrate data and stumble into a deception decoy, the jig is up. Legitimate users don’t even know these decoys exist so access to them can only mean one thing—a cyberattack in progress.
Deception technology usage can also follow a maturity curve. Organizations can start with basic decoys to fool pedestrian adversaries, and then grow into more advanced use cases for incident response, threat intelligence analysis, threat hunting, etc.
