Deception in cybersecurity offers a way to catch insider threats, a way to get alerts that are virtually 100% accurate, and a way to receive real time threat intel on your attack surface. So it should come as no surprise that deception as a solution is more than plugging in a box and hoping for the best.
Wait, what? Surely as a provider you want to say things are a ‘super easy, fire and forget one-click to paradise’? Well, the truth is that successful deployments of deception technologies aren’t just about hitting the “on” button of the platform you chose. While a good deception platform makes the process easier, providing tools to simplify deployment or analyzing threat actor behavior, to take advantage of the tools you need a strategy. It’s more than just plugging in, switching on and hoping for the best. This article is going to explore how to take a strategic approach that will increase the effectiveness of your deception platform.
Deception is more than honeypots—to effectively run a deception campaign, you must employ not just basic tools but strategy complemented with tailored, specific details. You also must be ready to adapt. You might have thought out and deployed your deception campaign, and then the adversary comes along and takes a 90º turn, and the whole thing collapses. Barton Whaley, in his excellent book “Turnabout and Deception”1 dedicates a whole volume to ‘When deception fails’, describing the problems leading to failure and what to do if it happens. This is chiefly oriented towards military applications, but the basic principles are true for cybersecurity too. Planning is the best way to avoid failure.
As the golfing aphorism would have it, “the more you practice, the luckier you get”. Deception planning is the same: more time spent on planning makes positive results more likely.
The first step of the plan is to define what you want to achieve. What is the strategic goal for the campaign you’re designing? Do you want to set up a trip-wire to detect lateral movement in your internal network, or are you focused on identifying the TTPs of a specific threat actor and quantifying the risk they pose to your organization? Deception is a great way to do both of these things, but both have a very different scope.
Just like fishing, you don’t use a fly to catch a shark, but you don’t use a side of beef to catch a trout. Identifying your goal is the first step to successful deployment.
The next step is best described using the See-Think-Do method. Chris Sanders’ “Intrusion Detection Honeypots: Detection through Deception”2 gives a great description of this, but personally I like to apply the method backwards: DO-THINK-SEE.
Basically, in this step you define what you want your adversary to do. Think about the goals we defined in the first step and think about how you want the adversary to act.
Working out what you want your adversary to do makes it easier to identify the steps they need to take and how you want them to interact with the deception environment. This leads on to the next part:
In order to do what you want them to do, the adversary must be thinking in the “right” way. By this I mean that they need to believe that they have accessed their target, and that they are able to achieve their mission. To influence this though process and foster this level of confidence in the adversary, they need to perceive the environment in a certain way - leading to the next part:
Here is where we get down to the nitty-gritty. To feel confident that they have reached their target, the adversary must see evidence of this - or at least NOT see anything that would upset this view. This means the environment must be credible. The deception hosts should match the production environment (don’t use Linux servers if the production environment is exclusively WIndows etc). The software should be as close as possible to the production too. The breadcrumbs should be believable - and appropriate to the campaign. Credibility is one of the three key pillars of Munslow’s Deception Triangle, and if any aspect of the campaign is not credible, it doesn’t matter how effective the deception platform is, or how detailed the telemetry you can collect, the campaign is doomed to generate low value threat intel.
Munslow’s Deception Triangle- removing any one of these elements renders the deception worthless
Back Story & Legend
Having a good backstory for the deception is also a great help in the planning process. This adds context to the SEE-THINK-DO process and aids in building the campaign and, especially, defining breadcrumbs. A good back story can be used to generate the campaign attack path - the path of least resistance that maps out the route for the adversary from one stage of the campaign to the next. Attack paths and attack trees are powerful tools to help in campaign design, and we’ll go into more detail in a future blog post.
One big part of the planning process is to develop your exit strategy, or what you are going to do with the threat intel you generate. This can mean deciding what notifications you want to receive, what actions within the campaign should trigger them, and whether you want to export the attack data to a third party system. All these decisions are important, but the most important thing to decide is what to do if you catch an adversary.
Capturing activity within the deception environment and collecting adversary behavior patterns and TTPs is what it’s all about. So, what are we going to do with the data? For example, if you identify an insider threat, how do you act? Do you take immediate action? Do you contact HR or call the police? How do you report the activity? These are all important considerations when planning your deception deployment.
Deception as a Process
Now that you have planned your campaign, you can deploy and move into the operational phase. However the process does not stop there. As a Deception Architect you should now begin analyzing the campaign performance and plan any modifications - and, of course, start planning the next campaign!
As always, our good friends at MITRE have something to help us on our way. They have developed a simple-to-follow ten-step program that can streamline the deception planning process. MITRE ENGAGE defines a method to make sure you think of everything before going live. It also provides a series of technical approaches to address known attack vectors or TTPs. However, in my opinion, the most valuable part of ENGAGE is the focus on planning.
Deploying deception is more than plugging in a box and hoping for the best— it is an incredibly effective way to capture intruders to your network in the act. I hope that this blog has been able to shine some light into the ways that planning is vital to the deception process.
If you would like to find out more about any of the topics discussed in this article, please get in contact with us. We are only too happy to explain what we do and how we can help you get the best out of deploying deception – from an initial conversation or simple demo, to a fully featured deployment.
1Whaley, Barton, “Turnabout and Deception, Crafting the Double Cross, and the Theory of Outs” 2016, Naval Institute Press
2Sanders, Chris, “Intrusion Detection Honeypots: Detection through Deception” 2020, Applied Network Defense
Richard Barrell is the Product Manager at CounterCraft, as well as managing projects in the Government sector. You can find him on LinkedIn.