Organizations are prioritizing the safety of user and machine identities, as properly as identity infrastructure such as Microsoft Active Directory, as adversaries increasingly adopt identity-primarily based tactics in their attacks. Today’s safety teams rely on a variety of various tools to preserve up with this shift — and some of their methods are far more efficient than other individuals.  

Deception technologies has develop into 1 such tool that aims to mislead and reveal adversaries by tempting them with fake sources in a company atmosphere. Honeypots are the original kind of deception technologies. When an adversary enters the honeypot, it is basic to detect them due to the fact genuine targeted traffic would not enter the honeypot.

On the surface, deception technologies appears like an efficient way for organizations to lure and deceive adversaries, defend their information and obtain intelligence on potentially malicious activity. But upon hunting closely, there are extreme weaknesses that safety teams may perhaps not initially take into account when solely relying on legacy deception technologies as a kind of defense. 

The downside of deception technologies

Deception technologies relies on an adversary’s restricted know-how of the accurate target atmosphere. These tools are created primarily based on the concept that adversaries are unaware of the complete network topology and hence have to make choices on exactly where to go — and what to attack — with tiny understanding. Regrettably for safety teams, savvy adversaries can turn the tables on their victims and use this technologies to their benefit.

According to our current investigation, the typical breakout time for an attacker to move laterally from initial compromise to yet another host inside the victim’s atmosphere requires just 84 minutes. This indicates that adversaries continue to stay sophisticated and may perhaps have far more know-how of a network than most safety pros believe. It is feasible for an adversary to effortlessly recognize decoy assets and use them to create fraudulent alerts and distract safety teams when a true infiltration takes place elsewhere.

An additional limitation: the threat of lateral movement brought on by poorly made systems. In addition to standing up a method that appears genuine adequate to attract adversaries, providers also need to have to safe it. They just cannot stand up a completely-secured honeypot method overnight. It calls for time and work to accommodate the design and style complexities and make sure the method can not serve as a launching point for intruders to access other systems.

Ultimately, the fees of honeypots can add up. It is high priced to make and sustain a separate network with fake computer systems and sources. Help fees can enhance as well, as deception technologies nonetheless calls for skilled employees to monitor and sustain it.

How to detect, divert, and disarm adversaries

Providers can attempt to lure adversaries by deliberately presenting them with accounts flagged as honeytokens, which alert organizations to prospective attacks. It is not a complete method, but rather genuine information or accounts with code embedded that triggers an alert if uncommon activities, such as access from an unknown user gets detected. These alerts let safety teams promptly recognize an adversary’s attack path and permit for granular protection policies to block honeytoken account activities and lateral movement in true time. 

Honeytokens give legitimacy, safety and ease of implementation compared to honeypots. For the reason that honeytokens are genuine information and accounts, hackers are unlikely to challenge fraudulent alerts and will continue with their activities, not recognizing they have been identified and tracked by safety teams. Teams will currently know that it is a genuine attack, which lets them promptly address these threats alternatively of spending time confirming if it is true attack or not. Also, with honeytokens, teams do not have to stand up whole systems, hence saving them time and sources. 

Honeytokens also give safety teams peace of thoughts. By providing safety teams special policy assistance, such as triggering multi-aspect authentication, organizations can place tight safety controls on honeytoken accounts and get rid of the threat of adversaries moving laterally inside the network.   

Remain proactive against identity-primarily based threats

Identity threat detection and response (ITDR) has develop into an critical element of defending against contemporary threat and safety teams can make it even far more efficient when adding honeytokens as element of a complete identity protection method. It is in particular crucial due to the fact it is hard to detect the use of compromised credentials, which lets adversaries bypass conventional safety measures unnoticed.

Deception technologies has not verified itself an efficient safety option for organizations. Alternatively, organizations ought to take into account far more complete identity protection for true-time detection, visibility and prevention capabilities to defend against identity-primarily based attacks. By delivering continuous visibility and integration with Active Directory as properly as numerous identity and access management (IAM) solutions, a threat-primarily based identity protection option that utilizes a far more efficient and safer way to trap adversaries can bring a complete level of monitoring and threat detection for organizations. 

Kapil Raina, identity protection evangelist, CrowdStrike