Deception in Cybersecurity

When it comes to deception, the goal is forced misperception on adversaries – leading them to act in an inefficient manner, where the party that holds access to the largest amount of information is therefore able to move more effectively towards their objective. Information asymmetry provides this imbalance of power where one party is privy to information that the other party is not. Deception is the process of forced information asymmetry and is often complex and involves careful planning to maximize benefits and mitigate potential risks.

Role of Deception
In cyber security, deception is typically applied as the second-to-third line of defense to detect, prevent and respond to adversaries offering unique advantages where adversaries are often forced to evolve their exploitation strategies to reach objectives.
The typical goal of deception is focused on forcing asymmetry in terms of resources (time, CPU power, money) through:
a)      Using false information to mislead adversaries
b)     Expending the adversary’s time through increasing response-times to heighten the adversary’s perception of their risk of detection
c)      Forcing pre-planned attack vectors by deploying lures that play to the adversary’s cognitive biases
d)     Monitoring the adversary’s tactics and tools

Methods of Deception

Psychological warfare plays a key role when influencing the behavior of an adversary. Typically, deception tactics focus on organizational biases (arising from local traditions, rules and structures) and cognitive biases (confirmation bias, availability bias etc) which lead to perceptual distortions – or irrationality in behavior. Deceptive tactics tend to be more effective when they exploit targeted cognitive biases of the adversary and for this to occur, information asymmetry is necessary.
As adversaries typically act based on the assumption of the truth of the systems/data they are trying to compromise, through interacting with these systems, they’re able to gain more information about their target which can inform their next attack vector. The role of the deception tools in this case, is to ensure that the adversary gains a false sense of information asymmetry. The deception mechanisms therefore fail, when the adversary realizes they are in either a simulated environment, or interacting with placeholder systems. In this instance, the scenario can flip to the adversary deceiving the organization.
This balance is the tug-of-war between two parties wanting to achieve information asymmetry as the success of deception depends on the accumulation of information through forced asymmetry.

The Deception Stack

Typically, deception technologies are deployed across the deception stack through various tools and programmed responses to make the deception believable. The four components of the stack are: network, endpoint, application and data. As deception moves from the network layer up to the data layer, the difficulty of deception increases.

Deception Tactics at Each Attack Phase
The following is a derivation of the Gartner Cyber Attack Kill chain concept which maps out the different uses of deception across the life cycle of an attack.
1)     Reconnaissance
Deception would involve disinformation to confuse the attacker and make it difficult for them to select the optimal service/application/infrastructure component to exploit

2)     Weaponization
Misdirecting the attacker through falsified application responses or services designed to delay the attacker. The goal of this deception stage is to force enough asymmetry to lead the attacker to select the wrong tools, or misdirect the attacker towards services that are not being used

3)     Delivery
During this phase, any injected binaries should be sent into a deception zone (i.e. a network sandbox) to be executed in a virtual environment.

4)     Exploitation
Deception tactics can exist in any layer of the deception stack during the exploitation phase to trick or disrupt the exploitation from happening. There are numerous tactics that can be utilized at this phase including, injection of fake data or redirection of suspicious traffic to a decoy environment. Responses to exploits at this stage need to be targeted and specific to the type of attack the adversary is launching.

5)     Installation
Often on the endpoints, it’s possible to disrupt malware through deceiving the executing malware into believing it is running in a virtualized environment or making the malware believe certain files have been written that haven’t. Some malware have the ability to detect virtualization and will often stop running due to detection – or if they believe their execution has been successful. This is an opportunity to interrupt the malware installation phase through manipulating the malware’s trust.

6)     Command
Most malware operate through a command-and-control server which sends and receives responses and provides the malware with instructions to download payloads or – to facilitate remote control in the case of a botnet. Commonly, this is the stage where the malware will attempt to move laterally through an organization’s network. There are several tactics used to sever command-and-control based malware including the launch of a Sybil attack or redirection of traffic to socket servers to further analyze and understand the traffic that’s being sent through the host.

7)     Execution
At this stage, malware commonly works on exploring the environment it’s contained in – including lateral movement, network scans, credential gathering and other similar activities. Network-based deception solutions can be deployed here to fake credentials, simulate endpoints, false sensitive data to delay the adversary’s efforts and circumvent the attack.

Barriers to Deception
a)      A Rise in False-Positives
The surge in false-positives in recent technologies have often led to these technologies being pulled out of service or placed in a passive position within a company’s security landscape.

b)     Believability
The irony of deception is that the believability of deception is greatly diminished upon the publication of deceptive strategies or, when the deception disrupts business operations. To seamlessly incorporate deceptive tactics into an organization’s security landscape, deception practices need to be constantly refined and be adaptive to the adversary’s attack vectors. The downside of a non-believable deception is that the adversary will react and no longer trust any of the elements involved in the deception.

c)      Enterprise Readiness
Deception products need to reach a certain maturity level to service enterprise use cases. An example of this maturity is in the integration of deception with incident response systems and procedures. Security teams are already inundated with alerts, data and built-in analysis capabilities, meaning any further technology introduced into the landscape needs to integrate in a way that doesn’t increase the existing load.
Further Reading
Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities by Lawrence Pingree


  1. This blog provide good information on Gartner cyber security. Thanks for sharing links. Very helpful.


Post a Comment

Popular posts from this blog

Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I

Backdoor Office 365 and Active Directory - Golden SAML

Successful 4624 Anonymous Logons to Windows Server from External IPs?