Microsoft Defender for Endpoint includes a powerful Deception feature, designed to enhance early threat detection and response capabilities. This blog post will explore what the Deception feature is, its prerequisites, how to configure it, and how to monitor results effectively.
What Is the Deception Feature?
The Deception feature in Microsoft Defender for Endpoint creates an artificial attack surface within your network. It uses decoys (fake assets like user accounts or hosts) and lures (digital breadcrumbs such as fake credentials or file locations) to trick attackers into revealing their tactics. When attackers interact with these decoys or lures, high-confidence alerts are generated, enabling security teams to detect and contain threats early in the attack chain. This feature is particularly effective at identifying human-operated lateral movement during reconnaissance and credential theft phases, providing valuable insights into attacker behavior and improving overall security posture.
Benefits of the Deception Feature
The Deception feature offers several advantages:
- Early Detection: Identifies threats during early stages like reconnaissance and credential theft.
- High-Fidelity Alerts: Generates accurate alerts that reduce false positives.
- Seamless Integration: Works with existing endpoint agents without requiring additional deployment of sensors.
- Enhanced Security Posture: Provides deeper insights into attacker behavior, enabling proactive defenses.
Prerequisites for Activating the Deception Feature
Before enabling the Deception feature, ensure your environment meets the following requirements:
- You must have one of the following roles to configure deception capabilities:
– Global administrator
– Security administrator - Microsoft Defender for Endpoint must be the primary Endpoint Detection and Response (EDR) solution.
- Devices must be joined or hybrid-joined to Microsoft Entra ID (formerly Azure AD).
- PowerShell must be enabled on devices.
- Automated investigation and response should be configured and enabled.
- Supported operating systems include Windows 10 RS5 or later.
- Additionally, this capability is included in subscriptions such as Microsoft 365 E5, Microsoft Security E5, or Microsoft Defender for Endpoint Plan 2. If you don’t have one of these licenses, you might not be able to see the Deception activation button in your Settings menu.
Lure Types and Considerations
There are two types of lures available in the deception feature:
- Basic lures – planted documents, link files, and the like that have no or minimal interaction with the customer environment.
- Advanced lures – planted content like cached credentials and interceptions that respond or interact with the customer environment. For example, attackers might interact with decoy credentials that were injected responses to Active Directory queries, which can be used to sign in.
If you want to benefit from deception feature very quickly, use the Basic & Advanced lures without creating custom lures. Basic and Advanced lures are almost completely automated, while allowing you to make customizations for your organization.
To benefit quickly from deception feature with Basic & Advanced lures you must prepare the following:
- Decide whether you will deploy the lures on all your client devices (workstations) or just some devices with specific tags.
- Decide how many fake user accounts to be created along with usernames. The username structure is suggested to follow your organization’s naming structure. Please also think about using account names that are common in your country.
- Decide how many fake virtual machines to be created. The machine naming structure is suggested to follow your organization’s naming structure. You might want to add some non-domain computers as well. You might want to assign static IP addresses to lure machines. Otherwise, the virtual machines will use the default IP addresses.
Using custom lures allow you to plant additional files with almost any extension (except .dll and .exe) up to 10 MBs of size in your path of choice (like C:\Temp). They also allow you to plant lures as hidden files, which is not possible with autogenerated lures.
How to Configure the Deception Feature
Enabling and configuring the Deception feature is straightforward. Follow these steps:
1. Access the Microsoft 365 Defender Portal.
2. Enable Deception Capabilities:
- Go to Settings > Endpoints > General > Advanced Features.
- Toggle the switch for Deception capabilities to “On”
3. Set Up Rules for Decoys and Lures:
- Use built-in machine learning suggestions or manually create decoys and lures tailored to your environment.
- Deploy these assets automatically using PowerShell scripts to devices within your network.
4. Simulate Alerts (Optional):
- Test the configuration by simulating alerts, such as sign-in attempts with deceptive user accounts, to verify that alerts are correctly generated
Monitoring Results
Once configured, monitoring the results of the Deception feature is critical for maximizing its effectiveness:
1. View Alerts in Defender XDR Portal
Alerts based on deception detection contain deceptive in the title. Some examples of alert titles are:
- Sign-in attempt with a deceptive user account
- Connection attempt to a deceptive host
All alerts triggered by interactions with decoys or lures are automatically correlated into incidents within the Microsoft Defender XDR portal. These incidents provide detailed insights into attacker methods and strategies
2. Analyze Attack Patterns
Use the alert data to understand how attackers are navigating your network and interacting with deceptive assets. This information can inform broader security measures and improve defenses against future threats.
3. Automated Threat Disruption:
The system can automatically disrupt detected threats by containing compromised devices or accounts, reducing manual intervention time
Conclusion
Microsoft Defender for Endpoint’s Deception feature is a game-changer in proactive threat detection. By strategically placing decoys and monitoring interactions, your organization can uncover hidden threats and respond swiftly. With proper configuration and monitoring, Deception enables security teams to gain the upper hand against attackers.
To learn more about enabling Deception and other advanced features in Microsoft Defender for Endpoint, contact us at Paradigm Security. Let’s secure your digital environment together!