Investigating Cyber Threats with Deception Technologies: A Spotlight on Resecurity

In the world of cybersecurity, the stakes have never been higher. With the rapid evolution of cyber threats, organizations must continuously adapt and evolve their defensive strategies. One innovative approach gained significant traction in recent years is the utilization of deception technologies for counterintelligence. Companies like Resecurity have pioneered these techniques, incorporating various solutions, tools, and models that mimic legitimate enterprise environments to mislead potential threat actors.

The Foundations of Deception Technologies

Deception technologies leverage the principles of traditional honeypots—designed to lure attackers into a controlled environment. By deploying fake vulnerabilities or misconfigured applications, organizations can passively monitor intruders while logging their activities. This tactic not only aids in threat detection but also empowers organizations to conduct threat hunting proactively.

The Role of Artificial Intelligence and Machine Learning

The integration of artificial intelligence (AI) and machine learning (ML) into deception strategies enhances the effectiveness of these tactics. One revolutionary development is the use of synthetic data, which is meticulously generated to mirror real-world data but devoid of any proprietary information. In the context of threat hunting, synthetic data can create deceptive models that appear highly realistic, making it an irresistible target for threat actors.

For instance, Resecurity strategically uses previously breached data to craft these models. By creating purposely planted honeypots filled with seemingly legitimate but ultimately useless records, organizations can attract threat actors, observing their tactics and methodologies as they engage with the decoy assets.

A Live Case Study: Threat Actor Detection

On November 21, 2025, Resecurity identified a threat actor probing various publicly facing services and applications. They documented several Indicators of Attack (IOA), including specific IP addresses traced back to Egypt and VPNs. Understanding that the actor was conducting reconnaissance, the Resecurity team set up honeytrap accounts—decoy logins designed to entice the intruder.

This proactive measure led to the successful login by the threat actor into one of Resecurity’s emulated applications containing synthetic data. Although this access had the potential for unauthorized exploitation, it yielded crucial intelligence on the attacker’s methods and intentions.

Creating Realistic Synthetic Data

To enhance their deception capabilities, Resecurity generated two distinct datasets: over 28,000 consumer impersonation records and 190,000 payment transaction records. Key to their strategy was the utilization of known breached data available from the Dark Web, ensuring that the synthetic data was compelling enough to attract sophisticated threat actors.

The creation of realistic Stripe transaction and customer data required the use of specialized synthetic data generation tools. This ensured that the datasets adhered strictly to the API schemas employed by real applications, making them more appealing to potential intruders.

Key Record Structures

1. Payment Information (Stripe Records)

   • id: Unique identifier for the transaction
   • amount: Transaction sum
   • currency: Currency code (e.g., USD)
   • created: Transaction timestamp
   • type: Transaction type (charge, refund, payout, etc.)
   • status: Transaction status (succeeded, pending, failed, etc.)
   • customer: Reference to the customer object
   • metadata: Custom key-value pairs for additional details
2. Faked Customer Records
   • username
   • email
   • firstname
   • lastname
   • organisation
   • date

This combination effectively simulated a business application environment that could easily entice financially motivated attackers.

Observing Threat Actor Behavior

Once the threat actor engaged with the honeytrap, they began their process of automating attempts to extract data. Over time—from December 12 to December 24—Resecurity documented over 188,000 requests made by the actor trying to dump the synthetic data. This underlined the importance of the insights gleaned on their Tools, Techniques, and Procedures (TTPs).

During their activities, the actor made several operational security (OPSEC) mistakes, inadvertently exposing their real IP addresses due to proxy connection failures. This mishap was significant and provided vital information for tracking the threat actor’s activities.

Network Intelligence and Proactive Measures

The Resecurity team monitored the hacker’s actions closely, enhancing their synthetic data offerings to encourage further exploration. Subsequent investigations led to the identification of servers employed by the attacker for automated scraping and other malicious activities using residential proxies to disguise their identity.

By restricting access to these residential proxies, Resecurity limited the threat actor’s operational capacity, effectively pushing them back towards previously identified IPs. This dynamic illustrates the cat-and-mouse nature of cybersecurity efforts.

Collaboration with Law Enforcement

Through diligent monitoring and documentation of the threat actor’s actions, Resecurity collaborated with law enforcement agencies for further investigative support. The intelligence gathered was shared with relevant authorities, which included issuing subpoenas aimed at addressing the ongoing threat.

A New Dawn for Cyber Deception

This proactive approach of using synthetic data and honeypots by Resecurity exemplifies how deception technologies can not only bolster threat intelligence gathering but also aid in investigative tasks. Organizations looking to implement similar strategies must navigate complex regulatory landscapes while ensuring compliance with applicable privacy laws, all while enhancing their cybersecurity posture through innovative methods.