Here’s how Defender XDR can help you find attackers sooner in your environment | Deception Rules MDE

Microsoft announced Deception rules as part of Defender for Endpoint Plan 2 at ignite 23.
Here’s why Deceptive technologies are important for your cyber security program according to NIST and how it currently works in preview for Defender XDR.
Deception Technologies
In the cyber security domain the ability to detect attackers is fundamental for threat analysis and of course for protection one of the ways that we can use to ensure that there aren't any attackers lurking in your department is a technique called deception.
Deception in cyber security means have decoy accounts or artefacts in your environment that lower the attention and of course the time of attackers in order to stray them away from actual real artefacts and of our data from your environment.
There are a member of Social Security vendors who specialise in technologies for deception or deceptive technologies some of these vendors include: Attivo, Countercratsec, and more.
Most importantly from a cyber security process management perspective we must look at guidance from major entities around the role of deceptive technologies in your cyber security defence program.
I set down to research what nest special publications or guidance had been published about this, and found a very good blog article from one of the specialised vendors for deceptive technology with exactly these lenses, the blog post is from countercraftsec and containes some of NIST’s commentary on deceptive technologies and it can be accessed here.
Essentially it mentions that there are three main reasons why cyber security programs should contain the receptive technology.
These reasons are:
- “wastes” adversary’s time and resources
- lowers the adversary’s efficacy and own ability to gather intel
- stop the adversary in the middle of the cyber kill chain, buying a defender time to react
How to read the blog post for more details are around what NIST special publications contain those and of course should read more commentary from the author on them.
How It currently works in Defender XDR
As stated before deception rules has been added to defender XDR in Preview, you can find the official announcement here.
This is not new to Microsoft security, however, as Sentinel has had some deception techniques available since aroun 2021.
It works by creating decoy hosts or credential accounts in your environment on a selected scope of devices. These devices must be Windows devices at the moment.
Below you can see an official depiction from Microsoft around the effect an impact of the capabilities in your employment essentially it creates a way for your analyst to find attackers before they do any real harm in your environment.

If you want to learn more about why that's important to check out my video below for details and a quick example of how this works.
Documentations also create and you can find the prerequisites in the following link: https://learn.microsoft.com/en-us/microsoft-365/security/defender/deception-overview?view=o365-worldwide
Check out the steps to configure the feature in my video, here: