Attivo Networks Blogs

How security teams are turning to decoy networks

Some of the greatest survivors in nature are those that fool predators in order to derail their attack. This allows them to realise the threat and make their escape or fight back.

Take, for instance, the juvenile Damselfish. When threatened by predators, this marine marvel shrinks its eyes and grows a large spot on its tail to look like an eye. Having such a decoy deceives anything wishing to dine on the Damselfish into attacking the tail rather than the head. The fish can then swim off to safety while at the same time circumventing its demise. Similar forms of cunningness can also be seen with butterfly fish, octopus, chameleons, and tree frogs, which are all adept at using various forms of camouflage as a defense against predators.

In cyber deception, decoys and lures offer similar benefits in their use of camouflage to keep corporate networks and their information safe. This creates an advantage that other security tools cannot do. By hiding in plain sight, attackers can be tricked and derailed, causing adversaries to make mistakes and turning the tables on those that try to infiltrate systems.

Deceiving the deceiver

Cyber deception defense tactics protect a network by convincing a cybercriminal that they are accessing the actual network, when in fact they are wandering aimlessly through a virtual “hall of mirrors”.

This starts by providing the in-network attacker with attractive targets that replicate the look, feel, and behavior of the actual network. This is done through the use of decoy networks, which are based on the same operating systems, applications, and identities of the production systems. Placing attractive “breadcrumbs” based on credentials and mapped drives will also proactively and quickly lure the attacker into the deception environment. So too is populating the decoy with recent, seemingly valuable, content that the attacker would expect to find. Being attractive is important, but it must also be balanced with authenticity. As such, decoy networks should not be too obvious or easy to infiltrate or attackers will promptly identify them as fakes and avoid them.

A well-designed decoy network will not only reduce risk by detecting threats early but will also benefit the defender with intelligence they could not gather elsewhere. This can be used to reduce response time down from hours to minutes and can provide a competitive advantage by using this information to fortify defenses. Whether the motivation is in the fidelity of the detection or in the desire to gather adversary intelligence and forensics, deception is providing a unique offering and one that the adversary is not often expecting or prepared for.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

one × five =

Ready to find out what’s lurking in your network?

Scroll to Top