The ancient war strategies by Sun Tzu says: "Know thy self, know thy enemy. A thousand battles, a thousand victories.”
This means if you know the strengths and weaknesses of your enemy, and if you know the strengths and weaknesses in your defense system, you can win any battle. To win against cyber attackers and hackers or users with malicious intention, the cyber security team needs to understand the attacker’s techniques and tools, as well as shortfalls in the organization's defense system.
To understand the attack techniques and hackers’ interests in your environment, we need to understand three techniques that can help security professionals stop attackers before a data breach happens.
- Sandboxing — This technique allows the malware to install and run in an enclosed environment where the security team can monitor the malware's actions to identify potential risks and countermeasures.
- Honeypots — These are intentionally vulnerable systems that are meant to attract attackers. Honeypots entice attackers to attempt to steal valuable data or further scope out the target network. Honeypots help you to understand the process and strategy of attackers.
- Deception technologies — These are more advanced honeypot and honeynet products that offer more automation for both detection and implementation of defenses based on the data they gather.
Deception technology is like honeypots on steroids. It has more advanced capabilities like deception lure, deception automation, threat analysis, threat hunting, and more.
The core technology behind deception is the decoy. In general, there are several kinds — low, medium, high. To align with FortiDeceptor technology, let's focus on two types of decoys — low Interaction and High Interaction.
- Low interaction honeypot — This decoy has limited capability of emulating enterprise applications and be used only for detection from where the attackers are coming and what they want to exploit. These are easy for attackers to fingerprint and bypass.
- High interaction honeypot — This decoy is identical to the enterprise systems and can run real operating systems, applications, and services with dummy data. They allow the attacker to log in and they respond to the attacker’s request. In this way, the decoy helps you understand the attacker's intentions, lures them for a long time to identify how command and control infrastructure is set up.
Deception technology systems are more advanced and have more parts, breadcrumbs, baits, and lures. Deception systems are implemented alongside enterprise systems but they are still in an isolated environment.
Deception technology systems are used to interrupt the attacker's kill chain, prolong the attack either to exhaust the attacker’s resources or encourage attackers by providing oblivious vulnerabilities to know the identity and details of their network and arsenals.