Attivo Networks Blogs

Keeping it Real with Authentic Deception Technology

Written by: Mike Parkin – Technical Marketing Engineer – In a previous blog post, I covered what I call the ‘sweet spot’ for deception, which describes the characteristics and quality deceptive assets need to have to look like the real thing if they’re going to be effective against a skilled attacker. That brings us to the idea of “keeping it real,” which sounds like a contradiction when the subject is deception. It’s not though. The core of effective deception is creating assets that an attacker can’t tell from the real thing. They look real. They act real. To an attacker, they are real.

When deceptive assets are deployed, they should appear as real as possible, and Attivo’s ThreatDefend® platform achieves that using machine learning to analyze the environment it’s deployed in. A wide variety of deception campaigns are designed to match the environment closely, but to make it even more authentic, users can further adjust things using customization features, or even gold disk images. With perfectly matched deception, an attacker won’t know whether the system they’re on is live or a decoy, or whether the credentials they’ve stolen are authentic or fake until it’s far too late.

In order to stay authentic, deceptive assets can’t remain static. While they look real when they are deployed, they need to stay real-looking or they are as obvious as a ‘stand-out’ decoy. If an attacker sees that a stolen credential hasn’t been used in five weeks, or systems look out of date, they’ll be suspicious. If an experienced attacker believes there’s deception in the environment, they’ll steer clear of anything that looks out of place. That means keeping it real if you expect the deception to remain effective.

For the ThreatDefend platform, we keep things real by using machine learning to regularly update the deceptive assets. The platform is continuously listening to the environment to see how it changes over time. As the environment changes, the decoys change to match, so they always look authentic. An attacker who’s doing reconnaissance on the network won’t see anything unusual. The decoys are changing at pace with the rest of the network, so they don’t stand out as anything unusual.

Keeping it real on the endpoints means keeping the deception credentials and other assets up to date as well. Attivo handles endpoint deception using the ThreatStrike™ solution from the ThreatDefend platform, which places deceptive credentials and other lures and breadcrumbs on the endpoints. The ThreatStrike system runs as an agentless service that keeps the local deception up to date, all without requiring local software or the need for patching. When an attacker looks at local assets or scrapes credentials from the endpoint, what they see is up to date. None of the breadcrumbs or deception credentials will be stale or look out of place, so they don’t throw up any red flags to the attacker.

Saying “keep it real” in the context of deception isn’t the oxymoron it initially appears. In fact, the ability to keep deceptive assets fresh and authentic is one of the things that sets the Attivo Networks ThreatDefend platform apart and makes it so effective. Ultimately, to keep deception ef

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

14 − nine =

Ready to find out what’s lurking in your network?

Scroll to Top