Top Deception Tools for 2022
Attivo Networks Blogs

Top Deception Tools for 2022


As technologies advance, and cyber threats with them, deception has become a big part of the 21st century cybersecurity battle. From bank transfer cons to CEO fraud to elaborate phishing and spear phishing campaigns, cyber criminals have been quick to use deception as a major means of infiltrating networks and systems, and for remaining undetected while inside.

But it can work the other way. Security vendors and startups use deception techniques to confuse and befuddle attackers. If an attacker is spending time and energy breaking into a decoy server, the defender is not only protecting valuable assets, but also learning about the attacker’s objectives, tools, tactics, and procedures.

That is the basic premise behind deception tools and technologies. By masking high-value assets in a sea of fake attack surfaces, attackers are disoriented and attack a fake asset, in the process alerting security teams to their presence. Deception tools can thus be an important defense against advanced persistent threats (APTs).

What is Deception Technology?

According to Gartner analyst Lawrence Pingree, attackers must “trust” the environment they insert their malware into and the web applications and services they attack over the internet.

They sneak around the fringes of the enterprise, seeking a way inside, which they might accomplish by tricking a user into clicking on a malicious link, opening an infected attachment or providing credentials and passwords, or perhaps by hacking an unpatched or zero-day vulnerability. Once inside, they can freely steal confidential information or pull off a financial heist.

“Deception exploits their trust and tempts the attacker toward alarms,” said Pingree. “Deception also can be used to move an attacker away from sensitive assets and focus their efforts on fake assets—burning their time and the attacker’s investment.”

How Does Deception Technology Work?

Deception tools are designed to trick attackers into thinking they have succeeded while also covertly luring them toward alerting security systems.

“Distributed deception platforms (DDP) are solutions that create faked systems (often real operating systems, but used as sacrificial machines), lures (such as fake drive maps and browser histories), and honeytokens (fake credentials) on real end-user systems to entice and mislead the attacker to faked assets in order to enhance detection and to delay their actions as they attack those decoy assets,” said Pingree.

Core functions of such systems include:

  • Centralized management of real-user endpoint lures and decoy endpoint hosts, such as servers and workstation hosts
  • The ability to manage deceptive services, web applications and other network integration capabilities of decoys
  • The ability to administer endpoint lures and honeytokens to entice the attacker
  • The ability to administer and distribute deceptive data, like Word documents and database tables/entries and files, in decoy host deceptions

“Modern deception technology goes beyond network decoys and endpoint lures by adding concealment, misinformation, and misdirection to the mix,” said Carolyn Crandall, chief security advocate and CMO at Attivo Networks. “Concealment hides and denies access to production data, credentials, credential stores, and Active Directory (AD) objects to prevent attackers from targeting them, thus preventing exploitation and compromise.

“Misinformation inserts fake results into queries targeting Active Directory, preventing AD enumeration. Misdirection actively interrupts reconnaissance activities by redirecting the traffic to a decoy and away from production systems.”

Obtaining the desired results depends on being able to deploy credible deceptive elements on endpoints, network or application layers in sufficient scale to catch all potential intrusions. As such, various tactics are in play: Lures are placed on endpoints to attract the attention of would-be attackers. Other decoys are located on the network layer, and a few operate within applications or within stored data to misdirect cyber criminals.

Best Deception Solutions

After reviewing a number of deception solutions, here are eSecurity Planet’s picks for the top deception technology vendors.


Attivo Networks, acquired by SentinelOne, offers deception and concealment technology within its Endpoint Detection Net (EDN) suite. It includes credential and AD protection solutions, data concealment, and attack deflection functions designed to detect and derail lateral movement and privilege escalation activities.

Key Differentiators

  • Its AD protection function uses concealment and misinformation to protect against identity-based attacks targeting Active Directory. It identifies unauthorized queries attempting to mine AD for data, hides sensitive or privileged AD query results (such as AD domain admins, domain controllers, SPNs, and others), and inserts fake results that point to decoy systems.
  • Deception for identity protection includes credential protection capabilities that add concealment to protect credential stores on the endpoints, binding them to the applications that own them and denying access to any other process.
  • The EDN concealment function hides and denies access to local files, folders, mapped network or cloud shares, local privileged accounts, and removable storage, preventing attackers from seeing and targeting them.
  • The EDN deflection function redirects both inbound and outbound attempts to conduct port and service discovery activities by deflecting the connections to decoys systems for engagement. This misdirection prevents accurate fingerprinting and system identification, generates an early alert on the reconnaissance activity, and diverts the attempted connection away from production assets.

Read the full article by Drew Robb on eSecurity Planet.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top