In the case of deception technologies, attackers are deliberately diverted into a specially created IT environment even before they can penetrate further into the company’s actual infrastructure. Within this fictitious environment, it is possible to systematically observe the attackers in order to identify their motivation, methods and, in some cases, even their identity and clients. This is the goal of the CyberTrack deception-as-a-service solution.
Why Deception instead of Honeypots?
The vendor describes IT security as an ongoing responsibility that should not be viewed as a one-time investment. The field is in constant evolution. Hackers are continuously finding new ways to break into systems or exploit new security vulnerabilities. Just as a car is maintained with regular service, occasionally buying new tires or replacing worn parts, an IT network also requires ongoing maintenance.
Honeypots were created to draw hackers into an area they otherwise would not have been interested in. The vendor states very few such people fall for that anymore. The goal nowadays is not to attract hackers with these “honeypots”, but to remain as inconspicuous as possible. According to CyberTrack, only deception can achieve that.
How Deception protects data
The extent (or lack thereof) to which popular hardware and software in IT security are actually used to defend against attackers is well illustrated in the so-called “Pyramid of an Attackers Pain” (David J Bianco, Mandiant/Fireeye). It shows that the challenge for hackers increases from the bottom, lower layers, such as anti-malware and firewall systems, to the top.
CyberTrap's approach is supported through offering three different packages, each of which the user can self-manage after a short training session, or book with an optional managed service:
CYBERTRAP Endpoint Deception is rolled out on the network, hidden lures (decoys) are deployed. These lures are designed and customized specifically for your network so that an attacker cannot differentiate them from the actual network elements.
By using these lures, the intruder is thus undetectably redirected to a deceptively real image of the productive network, the deception environment. There, he can “let off steam” without causing any harm or finding any genuine company data.
At the same time, the system monitors and evaluates the behavior of the attacker, generating valuable threat intelligence data that can be accessed via a dashboard or via risk management reports. This data can be imported into any SOC/SIEM systems, anti-virus software, and firewalls to holistically strengthen security measures in the production network.
To prevent a hacker attack with CyberTrack Web Application Deception, an older version of the application is specially prepared and placed online. To potential attackers, everything looks real, so that they stumble upon strategically placed lures in the application’ source code. These lures (invisible to normal users) are directly linked to monitored traps called decoys. As soon as a hacker follows one of the lures, he is tracked at every turn.
In the Web Application Deception environment, the uninvited guest can therefore “let off steam” without causing any harm or finding any genuine company data. At the same time, the system monitors and evaluates the behavior of the attacker, generating valuable threat intelligence data that can be accessed via a dashboard or via risk management reports. This data can be imported into any SOC/SIEM systems, anti-virus software, and firewalls to holistically strengthen security measures in the production network.
And when CYBERTRAP Active Directory Deception is active, it detects any scan for privileged user accounts and uses this opportunity to send the hacker false credentials. As soon as the attacker uses these to navigate further in the network, he falls into the trap.
The intruder is undetectably redirected to a deceptively real Active Directory image, the Deception environment. There, he can “let off steam” without causing any harm or finding any genuine company data. At the same time, by precisely monitoring the attack and analyzing the attack tactics, the company’s own Active Directory is strengthened against future attacks.