Cyber-Deception Strategy

The growth of cyber-deception, or active cyber defense, has been impressive. I think, however, there is still some question out there about how to best implement a deception environment. What do you need to start; how to ensure viable lures, baits, decoys; how often should you evaluate the existing deception strategy; when should you update or change the strategy?  All of these are valid questions that all start with one “simple” thing.

Know your threat.

In this new Zero-Trust era of network and security design, we have fully transitioned to the “assume breach” mentality. No longer can we beef-up our perimeter and hope for the best. We must always believe the bad actor is in and waiting… patiently. This means we need to use our history to understand the present and anticipate the future.

The first and best step to a deception strategy is to understand how threat has affected your environment by looking at the observed past.  Review the last 3-5 years of validated threat information:

• What technologies were targeted?
• What ATT&CK TTPs were used?
• Where did the threat attack (i.e., perimeter, internal network)?
• What data did the threat seem to target?
• Who did the threat target (i.e., social engineering, phishing/whaling)?
• When did the threats occur?
• How long did the threat last?

From all this information, can you deduce why? Why did the attack occur?

In my experience, in the after-action reviews, we tend to assume it was an attack of opportunity. That some vulnerability was discovered by the threat and leveraged.  However, that is uncommonly the case. With an “assumed breach” mentality, we should also consider “assumed target”; meaning your organization was specifically targeted for a reason. If you can identify these potential reasons, you can better anticipate threat activity.

Motives aside, these questions give you some valuable data to develop your deception strategy. Once you understand your threat the next step in the deception strategy is to identify an outcome. What do you want to achieve with cyber-deception? In most cases detection and denial are the likely outcomes. However, for more mature cybersecurity organizations, or even cybersecurity and cyber threat intelligence service providers, there are other options such as:

• Defensive intelligence – develop a fully interactive deception environment to lure, trap, and monitor bad-actor activity. This sort of tactic has the potential to provide unprecedented insights into cyber-adversary activity.
• Malware/Ransomware Deception – I believe this is very early stage, but the concept appears sound. Use deception techniques to deceive mal/ransomware and either halt or significantly influence 2nd-3rd stage effects.
• Tracking – using decoy-files, create a beaconing system to track where a decoy-file goes as it is exfil’d across the internet.

These highlight some advanced techniques and concepts which may require more trial and error to find the right balance. Further cyber-deception strategies need a narrative, a reason for the environmental changes.  If we are to assume breach, then it stands to reason the adversary has knowledge of the environment and any changes may incur scrutiny.  Don’t give the bad-actor reasons to question what they see. Ultimately, by understanding your historical threat, you can devise a viable strategy to lure and deceive cyber-adversary activity. 

If you are interested in leveraging the cyber-deception strategy as part of your defensive toolbox, consider the questions above and think about how you could leverage this method to improve your detection capability and reduce dwell times. I do want to caution (and this has become a regular tagline), cyber-deception is not intended to mitigate some vulnerability or exploitation, cyber-deception targets the human and is intended to provide cyber-defenders a new way to proactively engage threat on their networks rather than respond to the next incident.

Cyber-deception is clearly a growing area of cyber-defense, but there are still questions on how to effectively start a cyber-deception strategy. By understanding your observed, historical, threat you can as the 4-Ws+H (who, what, when, where, and how), then consider formulating the ‘why’, the motive. Remember it’s not always an attack of opportunity, assume you were targeted for a reason. Take that knowledge to generate your initial decoys and seed them across your network. Consider your deception outcome and develop the backstory on why these new “systems” are being deployed. Identify a regular cycle to review, assess, and adjust your strategy to meet new threats or adjust if the existing deployment is not getting any hits. Finally, remember cyber-deception targets the human-adversary and is not a technical solution to a technical problem.

Let me know if you found any of this worth the read!