Skip to main content

Attackers Permanently Use Deception Techniques – Why not the Defenders? – Part 3

By 04.05.2021August 30th, 2021Hacker Life
Deception Technology

Deception simply means being tricked. If you look at IT security, attackers and defenders use a wide variety of technologies and methods: phishing, scamming, social engineering on the one hand, and honey/user tokens and honeypots on the other. While honeypots were state of the art in their days with the detection function, the attacks have evolved. Because just knowing that someone has touched a honeypot is no longer sufficient to answer the most pressing questions: Who is in my network, why, where did they come from, where are they going, and most importantly, how long have they been here?

To answer these questions, you have to know what you are looking for in your sea of data. It’s less a Big Data problem, more an analysis problem. The search for a needle in a haystack.

It would be easier to ask the attacker. He should be the best person to answer these questions. If it were possible to look over his shoulder undetected during his work, then he would deliver the needle to us free of charge.

And that’s where the new Deception Technology comes in. If we assume that an endpoint will be compromised (phishing mail, configuration error, missing patches, etc.), the attacker starts to move as quietly as possible in the network (lateral movement). Here, the “living-off-the-land” method is increasingly used. The attacker uses information (credentials, SMB shares, etc.) and legitimate tools (Active Directory queries, powershells, etc.) to get to his target.

And this is the most sensitive phase for the attacker to exploit Deception Technology, as he does not know what to expect on the endpoint and behind it, in the network.

Deception technology offers the attacker exactly this information, which he desperately needs. These file fragments (RDP credentials, hidden shares, Putty login information, access data in scripts, browser history, etc.) have the following main characteristics:

– invisible to the normal user

– lead to interesting targets and

– above all: they must be authentic

This is where the first step of deception begins.

The second step is invisible to the attacker: when using these lures, which are “real” to him, he is led into a trap that is invisible to him. These traps or decoys are copies of real productive systems that are installed in a separate location from the productive network and from which there is no way back to the productive network.

Now the third step can begin. Monitoring provides information on all phases of the attack and answers questions such as which endpoint the attacker has compromised (patient zero), which bait did he use (RDP credentials read out with Mimikatz), what is he looking for on the traps (faked database information or specific documents), at what times does he work, is he alone or is it a group that shares the workload, which tools does he use and leave behind when his break has begun?

In this way, the defenders get completely new insights and knowledge about a currently executed attack in real time and delivered directly from the attacker. They can comfortably sit back and watch over his shoulder.



What are false positives?

False positives are “false” errors whose consequences can be massive, depending on the settings in the IT security solutions and the reactions of users and administrators (e.g. deletion of important emails). The false positive rate can be set via threshold values. If it is too high, critical alerts are overlooked; if it is too low, this can lead to overload of the security team and alert fatigue – alerts are ignored.

By eliminating false-positive alarms and providing information that is important to the analyst, Deception technology increases the effectiveness of a security analyst by up to 30%.

What does “Living-Off-The-Land” mean?

Use of certain tactics and tools that are very difficult to detect because they are legitimate for monitoring in context: RDP, ssh, Powershaell, PSExec, stolen access data, VPN connections. Windows alone has over 100 system tools pre-installed.

Through the customised decoys, the first attempt at lateral movement is alerted when they are used. These decoys provide exactly the information the attacker needs to make the first move undetected.

What is meant by “alert fatigue”?

Alert fatigue. Many endpoints are configured to produce alerts: Server, Firewall, Antivisrus etc. Due to the high number of false positives, as well as other ineffective activities in the operation, alarms are ignored, overlooking the critical alarms.

What is Lateral Movement?

This is the phase of an attack where the attacker moves from one endpoint to the next. Depending on the model/framework (cyber kill chain, MITRE ATT@CK, unified killchain), it is at a different phase position. If it is not detected in time (attacker uses living-off-the-land methods), the attacker can theoretically persist on any endpoint and infiltrate the network again at any time via backdoors. Cleaning up all endpoints is very time-consuming or even impossible.

Deception technology supports the security team by detecting the first lateral movements at an early stage, alerting the security analysts and providing them with context-related specific threat intelligence.

What are indicators of compromise?

These artefacts (e.g. logs, timestamps, registry entries, file HASH’es ) serve as forensic evidence of possible intrusions into a host system or network and can be obtained via external threat intelligence services. However, this information is based on knowledge and is constantly changing, as attackers are constantly changing their techniques, tactics and procedures.

Deception technology does not require this knowledge. Deception technology supports and relieves security teams, as context-related and individual threat intelligence is made available in real time and insight into an ongoing attack is provided. This in turn can be used to extract “proprietary” information to make the entire network more secure.


The MITRE ATT&CK Enterprise Framework, is a constantly evolving, globally accessible knowledge base of cybercriminal tactics and techniques based on real-world observations over the past few years. In practice, MITRE ATT&CK enables organisations to better understand and prepare for attacks.

Deception technology supports broad areas of this framework by providing contextual threat intelligence on the relevant tactics and techniques (e.g. lateral movement, brute force, pass the hash, account discovery).


About the author

Cybertrap Foto Carsten

Carsten Keil
Sales Director Northwest Europe at CYBERTRAP

Skip to content