A deception-based security infrastructure can deploy deception mechanisms throughout a network to attract attackers. While the deception mechanisms might act like real host machines on the network, the deception mechanisms do not typically affect normal operation of the network.
Deception mechanisms, however, can also fool network administration tools, which may be legitimately used by network administrators. For example, an enterprise network scanner (e.g., Rapid7 and Qualys) can identify a deception mechanism as a real host machine on the network. By identifying the deception mechanism, the enterprise network scanner may report a misleading asset count for the network. This may lead to, for example, additional software licenses or consuming time from information technology (IT), finance, and security operations center (SOC) teams. In some cases, the enterprise network scanner can interact with the deception mechanism, possibly causing the deception mechanism to falsely report an intrusion.
Conventionally, detection by a network administration tool of a deception mechanism was prevented by shutting down the deception mechanism while the network administration tool was operating. However, shutting down deception mechanisms from the network can be inefficient. Therefore there is a need in the art for improved methods, devices, and systems for implementing deception mechanisms in a network.