What Is Cyber Deception?

In recent years many cybersecurity professionals have become more familiar with cyber deception as this space continues to mature. There are also those security professionals that may have heard of it but are not familiar with what it is in a practical sense. If you do a search on cyber deception you’ll likely find many products with their own descriptions of cyber deception. You may also find blog posts or white papers detailing theories, taxonomies, and models for cyber deception. These sources are all well and good for exploring diverse perspectives and gaining some depth into the space. But to provide an easily digestible explanation of cyber deception, this post aims to provide a practical view of what cyber deception is and what cyber deception solutions should consist of.

Cyber Deception

Cyber deception is a detective control that is an additional layer, perhaps even the final layer, in your defense-in-depth strategy. With the deployment of deceptive assets having the appearance of legitimate targets in your environment, these assets can detect unauthorized access with high fidelity and cause an adversary to expose their activity or presence.

It is worth pointing out that the description above implies that the goal of cyber deception is a high-fidelity alert that causes the adversary to expose their presence. For a majority of blue teams defending their networks and applications, this is a practical and highly sought after result.

The goal of some cyber deception use cases may be to generate targeted threat intelligence. This intelligence can be a valuable input to decisions to increase monitoring or proactively enhance defenses.

Cyber Deception Solution

There are thee main components a cyber deception solution must have.

Sensors

The sensor is the “honeypot” component of a cyber deception solution. It is what the adversary interacts with, gathering information required to trigger an alert. A sensor can be implemented in various forms. Common examples are:

• The traditional form is service emulation, i.e. Telnet, SSH, FTP, etc.
• Honey tokens which can be files or data with embedded triggers.
• Application layer feature emulation, “honey” paths or features in web applications.

Lures

Also known as breadcrumbs, a lure is the component of cyber deception that leads an adversary to interact with the sensor. Depending on the related sensor, lures can be implemented in different forms:

• Files on endpoints containing server names or credentials.
• Browser history or bookmarks.
• Database connection strings.
• DNS records.
• Comments in source code.

The list above is in no way comprehensive. The only limit to what can be leveraged as a lure is your imagination.

Automation

Automation might be considered the real magic of a cyber deception solution. In a world of legacy and modern network architectures, managing numerous implementations of sensors and lures is well, unmanageable. An effective cyber deception solution must reduce the overhead and friction in these key areas:

As organizations continue to migrate to the cloud, automation will pave the way for cyber deception to be a natural detective control in your environments.

Cyber deception, or simple honeypot deployments have long been considered to be a nice to have in security programs, thereby being prioritized down to “not gonna happen”. However, as security programs mature, to keep raising the bar and complete your defense in depth strategy, cyber deception is becoming a must have.

With a practical view of what cyber deception is and what a cyber deception solution should consist of, the next step is to think about a strategy for applying cyber deception in your environment. This will make a fantastic topic of discussion in future posts 😉!

Originally published at https://deception.substack.com on November 17, 2022.