LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.

Start free trial Sign in

From the course: CompTIA Security+ (SY0-701) Cert Prep

Deception technologies

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Deception technologies

“

- [Instructor] Cybersecurity analysts play a cat and mouse game with attackers, seeking to prevent them from gaining unauthorized access to a network. Deception technologies can be powerful tools in this battle, allowing analysts to get one step ahead of the attackers. Let's take a look at a few common deception technologies. Analysts use a wide variety of security monitoring systems to detect unauthorized activities on networks, systems and applications. However, it can often be difficult to tell the difference between legitimate traffic and activity that's part of an attack. Darknets are designed to assist with making this distinction. Administrators set aside portions of their normal IP address space for use as a darknet. No legitimate systems use those addresses, so therefore, if a monitoring system detects any activity headed to those addresses, it's very likely that it's an attacker performing network reconnaissance. Activity to a darknet warrants further investigation. Honey tokens are fake records inserted into databases or file systems to detect malicious activity. For example, a database might include a fake email address that routes to the organization's security operation center. Emails sent to that address presumably come from someone who has gained access to the database. Honeyfiles are files that are specifically created to resemble sensitive data, but instead they contain garbage data or intentional misinformation. Honeypots go a step further. These are actual systems placed on a network with the purpose of intentionally attracting attackers. These systems may have names that indicate that they contain sensitive information or they'd be helpful to an attacker, and they may even contain files with fake sensitive data. In reality, they're carefully monitored and instrumented traps for attackers. The honeypot is configured to fool an attacker into thinking that they've compromised a sensitive system, but the honeypot immediately alerts administrators and may trigger an immediate security response. They send fake telemetry to the attacker and real telemetry to the security team. Honeynets are large scale deployments of multiple honeypots on the same network. Another deception technique used by cybersecurity analysts is the DNS sinkhole. When systems are compromised by malware and joined to a botnet, they're configured with a server names of command and control servers that they contact to receive future instructions. When security analysts identify these command and control servers, they can create DNS sync holes for those addresses. To do this, they feed false information to their own DNS servers, telling the server that it is authoritative for the malicious domain and tell it to reroute traffic headed to the command and control server, to the address of a web server that warns users that their system has been compromised. This activity is also logged for administrators who may intervene to clean up the infected system. When you think about it, DNS sinkhole are basically the same thing as DNS poisoning attacks, except in this case, security professionals are waging the attack against their own users to prevent those users from having their systems carry out botnet instructions.

Contents