Network Deception Techniques Cut Dwell Times, Says Report

Written by

Companies using decoy systems to lure hackers away from legitimate targets spot hackers in their networks much more quickly than those who don't, according to a survey released today. The study, conducted by analyst company Enterprise Management Associates (EMA) and commissioned by deception technology vendor Attivo Networks, found that companies using deception techniques detected hackers on the network almost two months sooner than those that didn't use the techniques.

Deception technology attempts to throw attackers off the trail by offering up decoy assets for them to attack. Modern solutions include things like fake credentials, browser histories and registry entries, which lure attackers to decoy systems. They are typically invisible to legitimate network users but accessible via dual-use tools like PowerShell, which attackers often use to traverse networks.

EMA surveyed 208 respondents, ranging from IT managers through to CISOs and line-of-business managers, across various sectors. Roughly half of the organizations (55%) used deception technology. Of those that did, around half used commercial solutions, while 18% relied on traditional honeypots or honey nets and 30% used homegrown or open source solutions.

One of the most significant differences in the effects of deception technology was on dwell time (the length of time that attackers lurk in the company network). On average, respondents who had discovered attackers in their infrastructure reported a 31.9-day dwell time. Users of deception technology who considered themselves highly familiar with it reported a dwell time of 5.5 days in their networks, compared with nonusers, who said that companies faced a 60.9-day dwell time.

Those that used deception technology most often created decoy IT infrastructure systems like LDAP servers and IT network devices like switches and routers. Almost one in five (19%) of respondents emulated these systems, with enterprise applications like CRM and ERP coming a close second at 15%. They most often deployed decoy technology in cloud-hosted systems and applications, followed by their own applications and servers.

The use of deception technology also played a part in how companies discovered breaches. On average, 26% of respondents learned of them from outsiders. Fewer than one in five (18%) companies using deception technology found out about it this way, compared to 36% of the companies that didn't use it.

What’s hot on Infosecurity Magazine?