Learn the best practices to implement a secure network deception solution that can lure and trap attackers, while protecting your real network and data.

There is no point in having deception in place if you are not looking at signals it generates. This is true for all detection technologies: They will only provide value when you are prepared to act on the generated alerts. Integrate your deception tools to your security monitoring infrastructure (your SIEM, for example) and processes. Review the detection settings and content regularly to ensure you are still seeing activity coming from your honeypots and honeytokens.

Deception is used for post infection detection during lateral movement at least by my Attivo (now Sentinel One) customers. They use it to obtain an IOC otherwise not found like this: 1. Deceptive honeynet traps are configured to mimic a high value target such as an AD or Dbase. 2. These traps are a few hops from what used to be called the DMZ, near whatever the edge to/from clouds/Internet is considered. 3. When other controls fail to catch a perpetrator, the trap we called BOTsink alerts the SOC/Blue Team/SIEM/MSSP. 4. Deceptive credentials on end points when stolen are not the actual, true credentials. 5. For DFIR, logs/PCAPs are gathered when the alarm rings. 6. Dwell time is vastly reduced with deception.

What is the best way to implement a secure network deception solution?

Network deception is a technique that creates fake assets, services, or data on a network to lure and trap attackers. It can help detect and prevent intrusions, reduce dwell time, and collect threat intelligence. But how can you implement a secure network deception solution that does not compromise your real network or expose sensitive information? Here are some best practices to follow.

1 Assess your network

Before deploying any network deception solution, you need to understand your network topology, assets, vulnerabilities, and traffic patterns. This will help you identify the most likely attack vectors, the most valuable targets, and the most suitable deception methods. You can use tools like network scanners, vulnerability scanners, and traffic analyzers to collect and analyze this information.

Add your perspective

Steve Moscarelli

Illumio - Regional Sales Director: Illinois & Wisconsin
(edited)
Report contribution
Deception is used for post infection detection during lateral movement at least by my Attivo (now Sentinel One) customers. They use it to obtain an IOC otherwise not found like this: 1. Deceptive honeynet traps are configured to mimic a high value target such as an AD or Dbase. 2. These traps are a few hops from what used to be called the DMZ, near whatever the edge to/from clouds/Internet is considered. 3. When other controls fail to catch a perpetrator, the trap we called BOTsink alerts the SOC/Blue Team/SIEM/MSSP. 4. Deceptive credentials on end points when stolen are not the actual, true credentials. 5. For DFIR, logs/PCAPs are gathered when the alarm rings. 6. Dwell time is vastly reduced with deception.

Like
Augusto Barros

Building security products that fit into the real world and solve real issues | Cybersecurity evangelist, former Gartner analyst
Report contribution
This can be done manually, but deception platforms can do most of the work automatically. Many of them can query your Active Directory to figure out OS versions and naming conventions (for hosts and user accounts), for example.

Like

2 Choose your deception types

Network deception is a useful security tool, with various types that can be employed depending on your goals and resources. Honeypots are fake systems or devices that mimic real ones and attract attackers with enticing data or services; they can be low-interaction or high-interaction. Honeynets are networks of honeypots that simulate a larger and more complex environment. Decoys are fake assets or data embedded in the real network, such as files, folders, databases, credentials, or network shares that contain fake or misleading information. Lures are fake indicators or clues planted on the real network or systems to direct attackers to the deception layer; they could be fake ports, services, protocols, or vulnerabilities. All of these methods can help create a secure environment and protect against malicious actors.

Add your perspective

Augusto Barros

Building security products that fit into the real world and solve real issues | Cybersecurity evangelist, former Gartner analyst
Report contribution
Network deception is simple to deploy, but when done in an isolated way the value will be limited. Hosts in the internal network, for example, will only be useful if there are lures/breacrumbs pointing to them, otherwise you may only have attack traffic reaching them when the attacker runs networks scans (not really common these days are scans are too noisy; unless you want to find simple things such as network worms - but there are simpler ways to do that, right? :-)) A mix of network hosts, breadcrumbs and honeytokens are the best bet to maximize the detection capabilities of your deception deployment.

Like

3 Design your deception layer

Careful design of the deception layer is essential to make it convincing, effective, and secure. To ensure this, you should align your deception layer with your network architecture and security policies, making sure it does not interfere with normal network operations or performance. Additionally, customize your deception types to match real network assets and services, using realistic data, configurations, and behaviors to avoid detection and increase engagement. To increase the difficulty and cost for attackers, distribute your deception types across network segments and zones and create multiple layers of deception. Lastly, isolate your deception layer from your real network by using firewalls, switches, routers, or VLANs to separate the traffic and prevent lateral movement or data leakage.

Add your perspective

4 Monitor and respond

The last step is to monitor and respond to the activity on your deception layer. You need to have a system that can collect, analyze, and alert you on the relevant events and indicators, as well as a plan to mitigate the risks. Logging and recording everything that happens on the deception layer is essential; this includes the attacker's IP address, tools, techniques, commands, queries, and data exfiltration attempts. You should also use tools like SIEM, threat intelligence, or deception analytics to enrich and contextualize the information. It's important to alert and notify the relevant stakeholders and teams with tools like email, SMS, or dashboard. Finally, use tools like firewall, IPS, or endpoint security to contain and remediate the attack. Network deception is a powerful way to enhance security; by following these best practices you can deter, detect, and disrupt attackers while protecting your real network and data.

Add your perspective

Augusto Barros

Building security products that fit into the real world and solve real issues | Cybersecurity evangelist, former Gartner analyst
Report contribution
There is no point in having deception in place if you are not looking at signals it generates. This is true for all detection technologies: They will only provide value when you are prepared to act on the generated alerts. Integrate your deception tools to your security monitoring infrastructure (your SIEM, for example) and processes. Review the detection settings and content regularly to ensure you are still seeing activity coming from your honeypots and honeytokens.

Like

5 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

What is the best way to implement a secure network deception solution?

1

2

3

4

5

1 Assess your network

2 Choose your deception types

3 Design your deception layer

4 Monitor and respond

5 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

More articles on Network Security

More relevant reading

What is the best way to implement a secure network deception solution?

1

2

3

4

5

1 Assess your network

2 Choose your deception types

3 Design your deception layer

4 Monitor and respond

5 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

Explore Other Skills