Deception Technology: What It Is and How Hackers Are Fooled

You’ve probably heard of honeypots—decoy targets used to detect hackers by monitoring attacks on them. In recent years, this technology has evolved and is now generally referred to as Deception. Let’s discuss the differences and how hackers are being tricked today.

What Is Deception?

The word “deception” means trickery or fraud, which perfectly captures the essence of this technology: to catch an attacker, the traps must be indistinguishable from real services. Today, Deception technology is mainly offered by foreign—primarily American and Israeli—vendors, such as TrapX, Illusive Networks, Fidelis, Cymmetria MazeRunner, and Canary. Russian solutions are still limited, with a few notable examples like Bastion Security Platform and Xello, as well as some open-source tools.

As a developer, I’ll explain what Deception is and why it’s interesting. But first, let’s talk about its predecessor: honeypots.

Honeypots: The First Decoys

Honeypots, which first appeared in the late 1980s and early 1990s, are network objects designed solely to attract attackers and be attacked. They have no legitimate value in the network and don’t participate in real network interactions. When attacked, a honeypot records and saves all the attacker’s actions, which helps analyze the attacker’s path later. A secondary goal is to slow down the attacker by making them waste time on a fake resource.

A honeypot can be a full-fledged operating system emulating a workstation or server, or just a single service. However, honeypots have several drawbacks:

• Each fake server must be configured separately.
• Honeypots don’t interact with each other or with real infrastructure elements, making them hard for hackers to detect.
• They are usually not part of a centralized system.

To address these issues, a more advanced and intelligent technology emerged: Deception.

The Essence of Deception Technology

Deception is a type of Intrusion Detection System (IDS) designed to detect unauthorized access attempts. Unlike honeypots, which are isolated network resources waiting for attackers, Deception is a centralized system for managing fake network objects, known as decoys. Each decoy is essentially a honeypot, but all are connected to a central server.

These solutions typically offer user-friendly interfaces for managing decoys. Operators can create decoys with specific emulated network services, in chosen subnets, with desired IP assignment methods, and more. Decoys and their emulated services maintain constant communication with the server. Like honeypots, decoys don’t allow legitimate network interactions (except with other Deception components).

Any attempt to interact with a decoy is reported to the server as an attack indicator. Operators receive instant notifications with details such as source and target addresses and ports, protocol, and timestamp. Additional modules may provide manual or automated incident response capabilities.

Deception can also include components that simplify setup and deployment, make decoys more realistic, or attract hackers to fake targets. Some components handle related tasks, like incident response, collecting indicators of compromise from workstations, or searching for vulnerable software.

Agents

An agent is a program installed on real user workstations or servers. It communicates with the Deception server, executes its commands, or sends useful data to the management center. Some Deception solutions include agents, while others do not.

Agent tasks may include:

• Collecting workstation status data
• Distributing lures
• Emulating network activity
• Incident response (manual or automated)
• Collecting forensic data
• Other functions as needed

Agent activity should be hidden from the user to prevent accidental or intentional removal and to avoid discomfort from unknown software. Anything visible to the user is also visible to an attacker who gains access to the machine. Therefore, agents usually run in privileged mode (as a driver on Windows or a kernel module on Linux), allowing them to intercept system calls for stealth and prevent removal or interference.

Deception Techniques

The goal of Deception is to convince attackers that all decoys and their interactions are real, valuable, and in use, making fake targets attractive for attack. Modern systems use several components to achieve this.

Lures

To increase the chances that an attacker stumbles upon a decoy, Deception uses lures or “breadcrumbs.” A lure is an object placed on a real workstation, either hidden or visible, that looks ordinary and tempting to an attacker (e.g., a “forgotten” password file, saved session, browser bookmark, registry entry, or mounted share). The lure contains a link and credentials for accessing a fake network resource. When an attacker finds and uses these credentials, they trigger an incident alert.

The type and placement of lures depend on the decoy they lead to. Lures can be distributed in several ways. If agents are present, they handle lure distribution automatically via commands from the management server. Without agents, Deception may provide ready-made scripts for manual execution, but this approach is less flexible and harder to update.

It’s important to limit real users’ interaction with lures as much as possible, but not to hide them so well that attackers can’t find them. Lures must also be believable; for example, placing an SSH lure on an accountant’s computer might raise suspicion. Lures often include credentials, so it’s useful to maintain a database of fake users within Deception.

Fake Users

To make lures more convincing, the credentials they contain should resemble real ones. Every organization has its own user data formats (e.g., login formats, password policies, email addresses). Deception can integrate with traffic analysis systems to identify patterns and generate realistic fake users. Alternatively, users can be generated based on manually defined rules, such as name dictionaries, login templates, password requirements, domain addresses, and mail servers. This is especially useful for organizations with branches in different countries, allowing for localized fake user data.

Once the fake user database is created, Deception can use it to generate lures. For added realism, all lures on a given agent can appear to come from the same fake user.

Emulating Network Interactions

Unlike traditional honeypots, which are isolated and leave no network traces, Deception aims to encourage attackers to interact with decoys. To do this, attackers need hints about where to look and must believe the decoy is a real service. If a service never shows any network activity, it looks suspicious.

One key feature of Deception is the ability to actively emulate network interactions. Any points within the system—decoys with decoys, agents with decoys—can interact, using anything from simple TCP/UDP packets to high-level protocol data, depending on the decoy type. For example, an agent might periodically connect to an SSH decoy, authenticate, and even run commands.

It’s important to note that decoys report all connection attempts, including those from emulation. The Deception server must distinguish between real security events and emulated ones. Emulation can also overlap with lures; for example, protocols like FTP transmit credentials in plain text, so emulated FTP connections can serve as lures for attackers monitoring traffic. However, care must be taken to randomize and mask emulated traffic to avoid detection by attackers analyzing network patterns.

Additional Components

Deception systems can include various other elements. Two of the most relevant are automated deployment and workstation data collection.

Automated Deployment

One challenge with Deception is the labor-intensive initial setup. Without automated deployment, each decoy and emulated service would have to be manually configured, and lures created and placed for each decoy—a huge task, especially for large organizations with many subnets and resource types. Automated deployment can be achieved by integrating Deception with traffic analysis systems, allowing it to automatically determine which decoys to deploy and where, or by active network scanning and passive traffic monitoring. Alternatively, operators can select preferred services and decoy quantities, and the system will deploy them automatically based on templates.

Workstation Data Collection

Deception can do more than just detect attacks. With agents, it can collect data about installed software (including versions and installation dates) and compare it to vulnerability databases (like CVE) to warn about serious vulnerabilities. Agents can also gather forensic data, such as which process initiated an attack, how it got onto the computer, and more. Additionally, agents can collect indicators of compromise, allowing for early warnings before an attacker takes active steps in the network.

Conclusion

Deception is a relatively new technology, but it’s rapidly gaining popularity. It doesn’t replace standard security systems but complements them, helping detect attacks that bypass other defenses. Thanks to its flexibility and integration capabilities, Deception offers broad attack detection possibilities, including asset inventory and incident response. Its effectiveness depends on proper development and configuration—if done right, attackers won’t realize they’re targeting a fake. And even if they do, it may be too late for them.

Deception is forgiving of some configuration errors; even if attackers spot indirect signs of a decoy, the system remains effective. Still, proper setup is crucial! If you’re unsure whether your company needs this technology, try a demo version of any solution (including ours!). And if you’re a pentester or red teamer, we hope you appreciate our efforts to make your job harder!