Organizations are prioritizing the security of user and machine identities, as well as identity infrastructure such as Microsoft Active Directory, as adversaries increasingly adopt identity-based techniques in their attacks.
Today’s security teams rely on a range of different tools to keep up with this shift — and some of their strategies are more effective than others. On the surface, deception technology, such as honeypots, seems like an effective way for organizations to lure and deceive adversaries, protect their data and gain intelligence on potentially malicious activity.
But there are severe weaknesses that security teams may not initially consider when solely relying on legacy deception technology for defense.
Downside to deception technology
Deception technology relies on an adversary’s limited knowledge of the true target environment. These tools are developed based on the idea that adversaries are unaware of the full network topology and make decisions on where to go — and what to attack — with little understanding. Unfortunately for security teams, savvy adversaries can use this technology against them.
According to CrowdStrike’s ‘2023 Global Threat Report’, an attacker can move laterally from initial compromise to another host within the victim’s environment in 84 minutes. This indicates that adversaries are sophisticated and may have more knowledge of a network than most security pros think. An adversary can easily identify decoy assets and use them to generate fraudulent alerts and distract security teams while a real infiltration happens elsewhere.
Another limitation: the risk of lateral movement caused by poorly designed systems. In addition to standing up a system that looks legitimate enough to attract adversaries, companies also need to secure it. This requires time and effort to accommodate the design complexities and ensure the system cannot serve as a launching point for intruders to access other systems.
The costs of honeypots can add up. It’s expensive to build and maintain a separate network with fake computers and resources. Support costs can increase too, as deception technology still requires skilled staff to monitor and maintain it.
Detect, divert and disarm
Companies can lure adversaries with honey-tokens, which alert organizations to potential attacks. It triggers an alert if unusual activities get detected. These alerts let security teams quickly identify an adversary’s attack path and allow for granular protection policies to block honey-token account activities in real time.
Honey-tokens offer legitimacy, security and ease of implementation over honeypots.Hackers are unlikely to issue fraudulent alerts and will continue with their activities, not knowing they have been identified by security teams. Also, with honey-tokens, teams do not have to stand up entire systems, thus saving them time and resources.
Organizations can put tight security controls on honey-token accounts and eliminate the risk of adversaries moving laterally within the network.
Identity-based threats
Identity threat detection and response (ITDR) is an essential part to defending against current generation threat levels, and security teams can make it more effective when adding honey-tokens as part of a comprehensive identity protection strategy. It’s especially critical because it’s difficult to detect the use of compromised credentials, which lets adversaries bypass traditional security measures unnoticed.
Deception technology has not proven itself an effective security solution for organizations. They should consider comprehensive identity protection for real-time detection, visibility and prevention capabilities to defend against identity-based attacks.
By providing continuous visibility and integration with active directory and multiple identity and access management (IAM) products, a risk-based identity protection solution can bring a comprehensive level of monitoring and threat detection for organizations.
