To attract attackers, decoys are made to resemble the target systems as closely as possible. They have the look and feel of systems that an attacker seeks. Intelligent deception solutions actively lure attackers to the decoys once they have penetrated the perimeter. These lures, or breadcrumbs, exploit the fact that when an attacker initially exploits an asset, they are essentially blind. The attacker cannot tell where in the network he has landed, so he starts looking for other assets that have been accessed from the infected asset. The attacker looks for tools that the infected asset is currently using, credentials that the exploited system may be using and other systems to which the affected asset is connected. This evidence of credential and connection is a necessity if the attacker is to continue his exploit and successfully navigate to sensitive and protected systems in the organization.
Intelligent deception takes advantage of the attacker’s initial hunt for credential and connection by creating deceptive breadcrumbs that lead to decoys. Breadcrumbs can take many forms. From cookies to registry values, to emails to files, to ARP table values and beyond – all with fake credentials and fake data that attackers find irresistible.
Breadcrumbs should be strategically placed in order to be effective. An intelligent deception solution passively scans network traffic and analyzes the applications being used on each asset, the communication graphs in the organization, the behavior of assets including internet communication habits, and much more. Using all of this data, intelligent deception solution can deliver better and automated detection and response with as fewer false positives.