skip to content
DFIRinProgress Blog

Cyber Deception for Early Threat Detection

/ 5 min read

cybersecurity , cyberdeception

TL;DR

Why Should I Care? Attackers are rarely detected in the early stages of an attack increasing the cost and impact to the victim organisation.

What Should I Consider? Implementing cyber deception strategies.

Introduction

Traditional detection strategies alone have proven insufficient at detecting cyber attacks. To improve threat detection the focus is on combatting the technology used by cybercriminals. This approach has introduced a continuous battle between cybercriminals and cyber professionals of technical ability.

In 2023 it took an average of 204 days to identify a breach and 73 days to contain the breach1

Cyber deception shifts the focus to include the cybercriminals human perceptions and motives to the advantage of cyber professionals. Attack techniques are always changing although, the motives of cybercriminals remain relatively constant. Organisations can easily understand these motives and use them to their advantage and against cybercriminals. It is important to note that cyber deception complements existing detection solutions and is not a replacement solution.

The Case for Cyber Deception

Organisations are at a significant disadvantage against cybercriminals. Organisations are required to constantly succeed to prevent a breach. On the other hand, a single successful attack from a cybercriminal is all that is required. Cyber deception pivots off the concept of giving the attacker an easy win on their motives which in turn reveals the attacker providing early threat detection. When traditional cyber defences fail and an attacker is able to advance on their objectives, cyber deception proves its value.

Confusion and delay are introduced to the attacker’s decision-making process with deception increasing the cost of the attack for the cybercriminal. Additionally, physical cues are unavailable to identify deception strategies forcing cybercriminals to rely on exploration2. Conducting exploratory actions to identify cyber deception increases the cost to attack and the attack is slowed down. The increased cost of the attack may enough to encourage the cybercriminal to rethink attacking the organisation.

Cyber deception can be applied to overcome the uncertainties of traditional cyber security controls. Threat intelligence can also be obtained with cyber deception. Deception reveals valuable insight into the tools, techniques and procedures of an attacker specifically targeting an organisation. Organizations can leverage this intelligence to better build their defences and mitigate future attacks.

Cyber Deception Strategies and Techniques

To produce an effective strategy, an organisation needs to understand its goals. This can be as simple as asking what are we planning to achieve. Then the organisation can proceed to developing a narrative for the prospective attacker and ensuring the narrative is believable through deceptive story generation. An unstructured cyber deception strategy would reduce the overall effectiveness. Additionally, the planning process is an individual process, and an organisation would be best to consider it’s unique environment and objectives.

Techniques are extensive to what may appear attractive to an attacker such as systems, files and accounts. A great starting point for deception techniques is the Thinkst Canary platform. Included at the bottom of the article is a number of other helpful resources.

A Basic Example Deceptive Story

Goal: Identify an attacker within the internal network aiming to obtain access to the SIEM platform. Story:

  1. Attacker gains initial access onto an internal workstation.
  2. Attacker seeks configuration information of SIEM agent.
  3. Attacker discovers configuration file of SIEM agent containing deceptive system URL.
  4. Attacker performs basic reconnaissance of URL returning deceptive SIEM service account details.
  5. Attacker attempts to login to deceptive system.
  6. Alert is raised for review.

Impact of Future Adoption

Minimal adoption of cyber deception across organisations is present. This raises initial concern as this could be considered a significant factor behind the current effectiveness of cyber deception. There is a valid belief that as cyber deception is further adopted, attackers will seek out deceptive technology to avoid detection. If this were to occur that would mean cyber deception is still effective in slowing the attacker down. An increased adoption may well lead to attackers seeking out deception requiring greater resources from the attacker and for the attacker to be more selective to avoid detection. Threat intelligence has a lot to gain from an increased adoption of cyber deception with organisations sharing more enhanced insights into the tactics, techniques and procedures of attackers.

Conclusion

Cyber deception improves traditional technology-driven detection methods by focusing on the attacker’s human perceptions and disrupting their decision-making. When traditional security controls fall short and an attacker is able to work towards their motives, cyber deception proves its value. A cyber deception strategy that is well supported by thorough planning and process will prove to be beneficial. Adopting cyber deception as a defence-in-depth strategy to complement existing traditional controls improves early threat detection.

The content from this post is built off of my final university research project. I’ve tried to give it a bit more life compared with the academic paper. Although, I may well one day post the original paper.

Handy Resources

Included below is a number of resources around cyber deception that I’ve found useful:

Footnotes

  1. IBM Security. (2023). Cost of a Data Breach. https://www.ibm.com/reports/data-breach

  2. Cranford, E. A., Gonzalez, C., Aggarwal, P., Tambe, M., Cooney, S., & Lebiere, C. (2021). Towards a cognitive theory of cyber deception. Cognitive Science, 45(7), e13013. https://doi.org/10.1111/cogs.13013