Decoys to Dye Packs: Facing Down Cybersecurity Threats
Attivo Networks Blogs

Decoys to Dye Packs: Facing Down Cybersecurity Threats


The days of Jesse James’s train and bank robberies and John Dillinger kicking down doors with his trademark Tommy gun may be long gone, but bank heists are alive and well in the 21st century — albeit with a new flair. Instead of dramatic physical robberies, today’s criminals have shifted the battleground to cybersecurity, infiltrating the networks of financial institutions globally to steal money and personal information. The attacks remain staggering. Back in 2012, individuals and businesses are believed to have lost approximately $78 million during Operation High Roller. Fast forward to today, and the hacking group known as Bandidos Revolution Team is reported to have stolen hundreds of millions of pesos by infiltrating interbank payment systems and hacking into ATMs. Notably, this group is not believed to be connected to another, separate 300-million-peso heist from five banks last year.

Financial institutions are clearly a prime target for cybersecurity attacks. They are hit 300 times more frequently than businesses in other industries — in fact, PayPal CEO Dan Schulman estimates that businesses in the financial services arena are attacked more than 1 billion times each year. All told, banks lost $16.8 billion to cyberattacks in 2017 — and this is before factoring in reputation damage or potential damage to customers caused by compromised information.

FIs are diligent in their cybersecurity; however, as attackers get more sophisticated and begin to leverage artificial intelligence and enhanced computing power, it is becoming increasingly difficult to prevent them from getting a foothold in the network. The battlefield has moved inside the network, and a new approach is needed. In addition to behavioral and traffic analysis — which can be challenging, given the complexity of these networks and the volume of attacks — financial institutions are employing proven tactics of deception.

Turning a beloved method of attackers against them, an environment is created in which attackers cannot tell real from fake. This forces them to slow their attack and operate without making any mistakes — or risk revealing their presence. Derailing an attack is executed at multiple levels, starting with creating mirror images of production “safes”, “crown jewels” and mimicked application connections so the attacker is attracted into a trap. The next step involves leaving codes and access paths to the “safe” through the use of deceptive credentials, lures, and maps. The third deception option is to deploy “dye packs” with decoy documents that will alert and send a geo-location ping when opened.

Collectively, these tools provide defenders with “eyes-inside-the-network” visibility to attacker access and activity. An advanced deception platform aids financial defenders with additional benefits, such as visibility into exposed credentials and the paths an attacker can take based upon them. It can also deliver the ability to gather forensic evidence, indicators of compromise and information on the tools and techniques of an attacker. This adversary intelligence is incredibly useful in stopping an attack, hunting and removing back doors and ultimately preventing the attacker from returning and continuing their attack. Deception provides a powerful tool for early detection of both external and internal threats, including those involving an employee or supplier. In addition to catching malicious external activity, a deception environment can alert on policy violations and misconfigurations, which are often indications of an attack in progress or a vulnerability that could be exploited if not addressed.

As The Art of War says, it is important to know thy enemy. Deception provides a critical function in derailing attacks but also in gathering intelligence. Each time an attacker enters a network, they learn and gather information to advance their attack. Now, with deception technology, the power is shifted to the defender. With each attack, intelligence is now gathered for fortifying defenses and applying landmines that will ultimately increase an attacker’s cost and challenge their ability to be successful.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top