Skip to main content

Implementing Deception – identifying needs and setting goals

By 01.11.2022November 10th, 2022Blog
Cybertrap Blog Cyber Deception Needs And Goals

After introducing the issues on why cyber detection is so important and how you can use deception for great value – today we’re looking into implementing deception as a further link in your cyber security chain and recap again why you should not ignore the vast amount of added security it offers for your organization.

Given the breadth of benefits that can be realized using cyber deception, implementing a deception strategy can seem challenging. Fortunately, it can be simplified by taking a structured approach.

The first step in the process is to identify and prioritize deception goals. Some organizations may have only one initial deception goal, such as faster detection and response. Other organizations may have multiple goals of differing priorities. An organization that has very effective detection capabilities may be primarily interested in the collection of threat intelligence with a secondary interest in supplementing their existing detective controls. As long as your deception goals, and the prioritization thereof, are in line with your organization’s security posture and business or mission objectives, it does not matter what goals are selected or their prioritization. What matters is that a goal or goals have been identified.

Once you have identified your goal, the next step is to identify what the attacker needs to do in order for you to achieve the stated goal. If my goal is to quickly and accurately detect attackers, I would need attackers to interact, in any capacity, with my deceptive resources. If my goal is the collection of threat intelligence, I need the attacker to display their tools, tactics, techniques, practices, and/or goals. At its core, deception is not focused on trying to get the adversary to think something, but rather, trying to get the adversary to do something. The second step in the deception planning process focuses on what we want the attacker to do.

Next, deception planners need to decide what information needs to be conveyed to the attacker to achieve the desired action. Attackers make decisions about if and how their attack will progress based on information they receive acting against and interacting with our computing environment. This information could come as a result of conducting reconnaissance, scanning, sniffing network packets, and interrogating already compromised systems. Deception planners must develop enough of an understanding of attacker techniques, tools, and goals to understand how these decisions are made and what attacker decisions are based on. This allows deception planners to understand what information needs to be provided to the attacker to influence them to take desired actions. It should be noted that the key word is “influence”. Deception is an “influence operation” rather than a “control operation”. Deception planners must always remember that presented with the same information, two attackers can make drastically different decisions.

With an understanding of the information that is to be conveyed to the attacker, deception planners must identify the available channels of communication. In this context, a channel of communication is simply a repository of information that is accessible to the attacker. This could be a posting in a public newsgroup that can be tied back to the “target” organization, crafted network packets, or simply the fact that a certain port is open on a system. It is at this phase in the process that the design of the deception strategy is truly created.
By planting specific information in a wide variety of locations, we can present the attacker with a “story” that we define. That story involves presenting information to the attacker that is designed to influence the decision-making process of the attacker. In doing so, deception planners influence the behavior of the attacker. This influenced behavior is ultimately what allows deception planners to achieve their identified goals.

While this deception planning process may sound intimidating, in most cases, it is relatively easy, particularly when purchasing a commercial deception technology. It is still important to fully understand your deception goals as, by understanding your goals, you can identify the deception technology solution that aligns with those goals most closely. After that, commercial deception technology vendors have thoroughly researched what information they need to present to the attacker, and how that information can be conveyed. Thus, after selecting the most appropriate vendor, initial implementation of cyber deception becomes only a matter of learning to deploy and then use the technology.

Come back next time for our insight on the main bullet points on why cyber deception is one of the most powerful assets to IT security.

If you want to get ahead in fighting off cyber attacks, contact us today!

Image provided by Canva.com

Skip to content