Deception mechanisms for detecting sophisticated attacks

Private information stored in document files is the most popular target for attacks coming from professional hackers, according to TopSpin Security. File traps, including Office files, recent docs and deleted docs, were touched the most times during the research.

deception mechanisms

Assets and decoys

The next most attractive attack targets were application traps, consisting of session apps and browsers, followed by email traps. Notably, 100 percent of the attackers were detected during the initial stages of the attack.

As far as trap types triggered by the hacker participants and malware, 90 percent of the application traps set were touched at least once, followed by 70 percent of the email traps touched and 64 percent of the document traps touched. However, it is interesting to note that the research revealed that human attackers and malware have very different targets they seek. While human attackers seek document files, malware and machine attacks target applications.

“This research is unique in gathering information about attack patterns of hacking experts and advanced malware, and the effectiveness of deception traps set in an enterprise,” said Omer Zohar, Head of Research at TopSpin Security. “Attackers go after files not only to steal them – but also in order to use information stored in files to get credentials and other types of data that helps them traverse through the network.”

Human attackers

For the most popular traps triggered by human attackers, 77 percent of participants triggered document traps set in the enterprise environment.

Next 45 percent of the hackers triggered credential traps, consisting of usernames and passwords in files, directories and emails, followed by 36 percent who triggered email traps. In addition, human attackers also reached network, application and IoT-based traps.

deception mechanisms

How deception works

Malware attacks

When it comes to malware attacks, application traps were the most attractive, successfully luring malware 90 percent of the time.

Next, 25 percent of the beacon traps in the environment, mechanisms built into a document or email file which send signals to pre-defined servers every time the file is opened, were triggered by malware.

The third most popular attack targets for malware were document traps, 13 percent of which were triggered by malware.


Passwords are the holy grail for attackers. The research showed that attackers not only picked up passwords regardless of their source or format, they used the acquired passwords multiple times in a variety of locations. For example, attackers found and average of two credentials each, while each password was attempted an average one 2.5 times. In one instance, a password was used 11 times in 11 different places.

“There are reasons why the deception technology market is poised to grow to $1.7 billion by 2021, with a CAGR of over 10 percent — due to the complex nature of such threats (especially from nation states), many enterprises need to leverage their existing threat defense capabilities against these advanced adversaries,” Stephen Singam, managing director of security research at Distil Networks, told Help Net Security.

“However, there are certain areas of the enterprise in which CISOs should be concerned about deploying deception technology. Most deception technologies utilize software-defined networks (SDNs), i.e separating the control panel from the data panel, which offers a flexible and dynamic, yet centralized deception network administration. However, SDNs are still undergoing teething problems with attack vectors. The most concerning attack vector is the insider attack. On their own, deception technologies may not be that effective for detecting and mitigating risks – for example, if an employee maliciously causes control or Layer 7 saturation attacks against an SDN’s NOS cluster,” Singam concluded.

Don't miss