#cyberdeceptionday and the Kickoff of Denial, Deception, and Drinks

MITRE Engage
MITRE Engage™
Published in
9 min readApr 12, 2022
Banner for #cyberdeception day with little ghosts. One ghost has a mustache, another has a hat, and the third has glasses. The last ghost is plain but smiling.

When better to celebrate deception than on April Fool’s Day? Last year on the Well Aware Security podcast, Stanley Barr and George Finney had a conversation about making April Fools’ Day National Cyber Deception Day. (Missed it? Check it out here https://lnns.co/FzTU7B3M1qL) Turns out it costs money to register something as a “national holiday,” so we decided to celebrate the day as a social media extravaganza instead. Our goal: encourage dialogue and raise awareness about the role deception can play in cyber defense.

Our team had tossed around the idea of hosting a “Denial, Deception, and Drinks” series where we chat with colleagues in the field about various topics of interest. For #cyberdeceptionday, we decided to kick this series off by filming a set of roundtables:

Want to learn more? Check out the summaries below.

Building a Cyber Deception Maturity Model

The first video we released on April 1st was a conversation between Attivo, CounterCraft, University of Albany, and MITRE about around building a cyber deception maturity model.

Title slide for the video containing the speakers’ headshots and the text “Cyber Denial, Deception, and Drinks: Building a Cyber Deception Maturity Model”

Professor Sanjay Goel and Doctoral Student Dominick Foti joined from SUNY Albany to discuss the maturity model they are working on in collaboration with MITRE. Professor Goel kicked off the roundtable by discussing several challenges the field faces: “organizations don’t know whether they are technically ready for deception, they don’t know what the return on investments are, and they don’t know how to leverage [deception] appropriately.” A maturity model for cyber deception relies on helping organizations understand what deception entails at a fundamental level.

Joining the conversation from Attivo were CTO Tony Cole and Kevin Hiltpold, Federal Sr. Solutions Engineer. Kevin shared perspectives he gained as a blue teamer for 20 years, where deception is a valuable tool in a defender’s toolbox. When talking to people at conferences, Kevin keeps it simple, “I just say we lie to the attackers’ toolsets and people’s eyes just light up.” There are many misconceptions around the maturity level required for organizations to employ deception, deception doesn’t always need to be complex or expensive. Tony brought up an Attivo customer with a security team of one person — one person was enough to use deception for high fidelity alerts their organization could trust.

Richard Barrell, Head of Product at CounterCraft, piggybacked off of Tony’s point to describe the spectrum of deception uses: “at the simplest level you could take something like a Thinkst Canary and you could plug it into your network and you can get you can get alerts from that and it’s literally just plug and play. And then at the other extreme, there are platforms that allow you to do much more exotic implementations of security.”

Tony continued off of Richard’s idea, “if you look at the different deception tools that are out there from industry and you look at the standard security posture of any mid-tier company across the globe, deception is by far not the most complicated product [they could employ].”

Dominick highlighted that deception can often be a twist on traditional security approaches; defenders can take an activity, such as network monitoring, and use a deception-mindset to find opportunities to negatively affect the adversary’s operations. “It doesn’t cost anything to change your mindset.”

These were just some snippets from the 50-minute roundtable. Here is the link to the full video where we discuss why we need a cyber deception maturity model, common misconceptions about maturity requirements, the cost of employing deception, and other general musings: https://youtu.be/UQtbH0LuxLo

Deception for Threat Intelligence

For this roundtable, JR Manes and Karen Lamb from HSBC joined MITRE’s Stan Barr and Maretta Morovitz to discuss using deception for threat intelligence and the value of joint operations.

Title slide for the video containing the speakers’ headshots and the text “Cyber Denial, Deception, and Drinks: Deception for Threat Intelligence”

JR Manes, Global Head of Cyber Intelligence and Threat Analysis for HSBC, discussed the power of sharing information; “when multiple organizations are able to run the same sample, we get really deep insight into what would happen [as a result from] the way that we designed our adversary engagement environment, versus MITRE’s, versus another organization.” Comparing and contrasting results across operations partners can expose if an adversary uses the same tactics across the environments or if they changed their approach based on what deceptions were presented to them.

When asked what advice she has for organizations who want to get started with deception, Karen Lamb, Cyber Intelligence Lead Analyst for HSBC, says to keep it simple. “You can do a lot with a VM, some basic, open-source monitoring tools, and a VPN, something to protect your identity… if you’re interested in doing this and you’re not sure you want to invest the time and money, that’s a good starting point.”

Stan Barr, lead of Engage for Critical Infrastructure, reinforced that planning and cybersecurity fundamentals are a critical backbone for any operation. When preparing for an operation, “get yourself one PC and put a big piece of tape on the back that says malware — that machine, whether it’s a VM or not, should never be allowed on your production network. You need to have some handling guidance.”

MITRE Engage Lead Maretta Morovitz echoed a common theme of the roundtable: operations should be driven by the defender’s goals. “If you have a goal of getting a new IoC but you’ve just spent the past 10 months setting up an environment that’s perfect, to the point that the malware isn’t fresh enough and doesn’t run, you never actually accomplished your goal.” Defenders should not let perfect be the enemy of good enough.

For additional insights and wisdom, check out the full video https://youtu.be/0Ljx5OKvQI0. And, if you haven’t seen it already, check out the talk Maretta Morovitz, Gabby Raymond, and Karen Lamb made at ShmooCon for more discussion of joint operations, including a FIN7 operation HSBC ran: https://m.twitch.tv/videos/1437264046?t=126m06s

Opportunities with Deception

This session of Denial, Deception, and Drinks was a conversation between Mandiant, Aflac, and MITRE around how organizations can start thinking about deception opportunities in their organization.

Title slide for the video containing the speakers’ headshots and the text “Cyber Denial, Deception, and Drinks: Opportunities with Deception”

DJ Goldsworthy, Director of Security Operations and Threat Management at Aflac, discussed how to provide adversaries deceptive artifacts they would find during their reconnaissance, such as fake credentials injected into LSASS, fake file shares, fake FTP sessions, fake SSH and RDP sessions. The defender then influences the adversary’s actions with the planted deception artifacts: “If they decide, ‘We’re going to live off the land and just try to use this stored RDP connection. Hey, it already has credentials in it, let’s just pop that and see where that takes me,’ — it’s right to my decoy.”

Regarding fake credentials injected into LSASS, Dan Nutting, the Manager for Mandiant’s Cyber Defense Optimization team, built off DJ’s comment: “Adversaries are used to finding ‘truth right now.’ If we can start to taint that truth intentionally, that does solicitation in order to move them in different directions.” And when considering how to place deceptive artifacts within the environment, Dan says, “it can’t just sit somewhere, it needs to be out somewhere the adversary can find naturally.”

Trisha Alexander, a Cyber Defense Consultant for Mandiant, emphasized the importance of deception narratives even at the smallest scale: “Let’s say you are working in IR and you’re planning a kick out event …. you don’t want to inform the threat actors that you’re planning that, so why not have a fake network upgrade scheduled.”

To learn more about opportunities defenders can take when creating believable deception campaigns, watch the full video here: https://youtu.be/6PlG6DwCrNE

How We Got Into Deception

How did you get started in deception? In this session, we wanted to highlight a collection of stories from members of the deception community about how they were introduced to the field. Deception is a multi-disciplinary field and the four speakers from this session demonstrated how their experiences have shaped their distinct approaches to deception.

Title slide for the video containing the speakers’ headshots and the text “Cyber Denial, Deception, and Drinks: How We Got Into Deception”

Sahir Hidayatullah, VP — Active Defense at Zscaler, described the first time he realized deception was a game changer. In 2015, Sahir and his team was responding to an intrusion at a large bank, “their detection controls had been subverted and their SOC was essentially flying blind… We deployed decoys and received our first hits within minutes. Within an hour we had identified three things: the initial source of the infection, the ongoing attempt towards their ATM systems, and most importantly, the threat group that was actually targeting them.”

Kevin Fiscus, a principal instructor at SANS, had a very different introduction to deception. Asked to breathe life into a previously taught class, Kevin found himself confused when looking at the original course material. “This class talked about messing with port scans by making it look like every IP address in a range is live, by making it look like all 65,000+ TCP and UDP ports were live and responsive, it talked about sending web crawlers and spiders and infinite loops, setting up basically fake or emulated services and I was very mystified… then one day it just sort of hit me I was like, ‘Oh my gosh, if I had to do a penetration test against this type of environment, it would be absolutely terrible.’”

Gabby Raymond (oh hey, that’s me!), described her introduction to pocket litter that shaped her path to become the Capability Area Lead for Cyber Deception and Adversary Engagement at MITRE. Gabby told a story about how pocket litter, the cruft used to support deception narratives, has ties back to Operation Mincemeat in WW2. She also reflected on the balance between pocket litter realism and how expensive it is for the defender to create. “It’s often cost prohibitive to have a human sitting behind the keyboard to flesh out complex deception narratives. I’m interested in that cost tradeoff — what’s the right amount of time for a defender to spend fleshing out their deception narrative that imposes the most cost on an adversary’s operation.”

Also highlighting ties to military deception, Glen Sharlun, Head of the Public Sector for Acalvio, discussed his experiences at the U.S. Naval Academy and the Naval Postgraduate School. Glen described tool development at the RIDDLR facility to better understand attacker capabilities. “We were able to capture attackers, capture their tools, capture every keystroke, and then see what they did with the resource, while controlling what they’re doing — without them knowing,” said Glen. He and his team had a specific goal in mind, “could we figure out the motive of an attacker — if we understand the motive, we can predict how that attacker and others might act.”

To see all four stories, check out the video here: https://youtu.be/ETSor6dzA3g

Ramblings and Rumination in Deception

The last Denial, Deception, and Drinks session of the day was a conversation with Dr. Frank Stech, one of the authors of Cyber Denial, Deception and Counter Deception.

Title slide for the video containing the speakers’ headshots and the text “Cyber Denial, Deception, and Drinks: Ramblings and Ruminations in Deception”

While talking with Stan Barr and Maretta Morovitz, Frank shared stories about his friendship with Barton Whaley, the origin of his book, and key messages for readers to take away from Cyber Denial, Deception and Counter Deception. One of his messages was, “You can do a tremendous amount of deception with the truth. People think it’s all lies and all vagary and magic tricks,” Frank said, “skillful deception operations make a great deal of use of the truth, it’s just not the whole truth and nothing but the truth.”

Frank reflected on the behavioral psychology of deception. “Deception is really a service industry with two customers. One is your friendly side… the other customer is the target of the deception, and this is a bit of a counterintuitive insight. You want to make your customer as satisfied as possible. You want them to buy your cover story completely and be totally happy with it. And if you can achieve that, you have become a real deception master because they believe they know what is real and you’ve influenced them to get there.”

To hear more on what led Dr. Stech and others to create this book, what has changed since it was published, and where Dr. Stech sees the field going, check out the full video here: https://youtu.be/pCOKODQJaZk

We had a lot of fun recording these sessions! Our goal was to make April 1st a true celebration of the innovative work happening across this community, and this year was just the start. To see the full playlist of the Denial, Deception, and Drinks highlighted in this post, check out the MITRE Engage YouTube playlist: https://youtube.com/playlist?list=PLckWNccxbTC5QjPo7Er9MeepCc4YXjoT5.

©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited PR_21–01759–30



MITRE Engage
MITRE Engage™

MITRE Engage is a framework for discussing and planning adversary engagement, deception, and denial activities.