Cybersecurity teams are now using “cyber deception” to take the offensive against cyber attackers, according to a new op-ed in Information Age. Hackers historically have had the upper hand, able to wait for their moment, choose their target, and still succeed even if they make a mistake or two. Carolyn Crandall of Attivo Networks, a cyber deception services provider, writes that by tricking attackers, organizations can regain the upper hand.

Such deception includes attractive-looking decoys that look like actual assets. The process also involves the use of lures, such as data, applications or credentials that appear real to would-be attackers. These approaches can fool intruders into revealing their presence, and the methodology today is more advanced than so-called honeypots, the earliest decoy system for trapping hackers, Crandall claims.

This argument echoes a 2017 report by Booz Allen Hamilton entitled “The Future of Cybersecurity: The Best Defense Is a Good Offense.” In it, senior vice president Brad Medairy writes that organizations can no longer rely on “building bigger fences” to thwart cyber attackers and must instead go on the hunt.

According to Booz Allen, the average advanced cyber attacker sits on a network’s servers undetected—its “dwell time”—for 200 to 250 days. To seek out these adversaries, the consultancy recommends trawling through data using a mix of sophisticated tools, including automation, threat intelligence, threat analytics and artificial intelligence.

On a more basic level, organizations must be sure their defenses match the actual threats against them, writes Eric Cole, founder of cybersecurity consulting firm Secure Anchor, in a recent blog post. In other words, it makes no sense to put bars on all the windows, install security cameras in front of the house and double-bolt the front door if the intruders actually intend to enter through the basement door in back. “To win at security, offense must drive the defense,” Cole writes.

The equivalent of that unguarded back door might be someone who works within the organization—potentially at a high level. Senior executives “may unknowingly be the weakest link” in an organization’s cybersecurity chain, according to a new report by cybersecurity firm the Bunker (PDF).

To guard against internal cybersecurity risks, organizations should assume every user is a potential threat and try to reduce that threat without reducing productivity, according to another recent Information Age op-ed. John Andrews, VP at cybersecurity firm Centrify, calls this “Zero Trust,” and it means that security systems should recognize if a senior executive logs in from a suddenly different time zone or continent. Organizations should also limit access to confidential data depending on managerial level.