"Appear weak when you are strong, and strong when you are weak." - Sun Tzu, The Art of War
What are decoys and how do they help improve cybersecurity resilience?
Most attacks today leverage the existing credentials of privileged users by compromising their systems and then riding through the network using the compromised credentials. SIEMs, firewalls, and other security technologies have a tough time differentiating between a normal system administrator's activities and those of an attacker who is pivoting through the same administrator's system and leveraging the same set of credentials.
"Decoys" are nearly exact replicas of the actual assets and are virtually undifferentiable. Think of a Windows file server that appears absolutely identical to an actual file server within your organization. Except that it isn't.
We booby trap the ecosystem with digital tripwires luring the attacker into what he thinks might be a genuine information asset. This procedure of "Decoyment" could mimic standard servers such as DNS, File Servers, etc. or it could be more advanced such as SWIFT server or an ATM Switch Server.
What happens once the decoys are operational?
When the attacker penetrates or simply tries to scan any of the decoys, the security team responsible is instantly alerted to quarantine/observe/mitigate the breach. This way, we are able to keep the attacker engaged and the actual modus operandi of the attack can be ascertained. Since there is no real threat of losing/risking the actual information asset, we have time to launch a counter offensive or trace the threat actor. In a well setup network of decoys, there is little or no chance of a false positive. In fact, a single alert from the decoy network should trigger a Severity 1 or Severity 2 incident response mechanism.
Are decoys and honeypots the same?
They are similar, though not the same. "Honeypots" are vulnerable systems which are mainly used to lure attacker. These look like critical assets, but usually don't contain information of value and are a great research tool. Decoys on the other hand are configured to look vulnerable, but are not. In fact, they are hardened to make sure that they cannot be used to pivot deeper into your network or to launch attacks on external entities. Decoys thus help to identify an attacker lurking in your network and probing your critical assets.
How does your service work?
Based on the customer requirements, we identify the right network points where decoys should be set up. We also work with the customer to customize our existing decoys to mimic their real assets. We already have dozens of decoys pre-configured, and most of these are suitable for most organizations. We deploy extensive monitoring on the decoy systems as well as on the network segments hosting the decoys. These alerts feed into our big data ELK stack and help us deliver cybersecurity actionable intelligence immediately to our customers.
For most organizations, deploying 10-12 decoys across a couple of network segments can be done in a matter of hours. For more involved customizations, it might take a couple of weeks. The entire set up can be up and running at a fairly low cost and deliver maximum value with an extremely low false positive rate.