In 'The Art of War,' Sun Tzu declared, 'All warfare is based on deception.' Learn how to apply this principle in the enterprise by building a cybersecurity deception program.
It's no longer a question of if attackers will get inside a given enterprise network, but when -- a reality that makes proactive cybersecurity strategies, such as threat hunting and cyber deception, of growing interest. Analysts at Research and Markets predicted the deception technology market will grow to $4.2 billion by 2026, up from $1.9 billion in 2020.
Cyber deception involves laying decoy assets across the IT environment with the goal of luring malicious hackers away from real systems and applications. At its best, cyber deception can accomplish the following:
Waste attackers' time and energy on diversions.
Alert incident responders to attackers' presence in enterprise systems, with negligible false positives.
Strengthen threat intelligence by enabling security teams to observe and record attackers' tactics, techniques and procedures.
All of this is easier said than done, however. To build a cybersecurity deception program that realizes the above benefits, security leaders need a thoughtful and strategic approach. Consider the following best practices.
1. Win leadership buy-in
While early cyber deception efforts gained a reputation for failing to directly support organizations' missions -- in some cases, wasting time and resources -- cyber deception techniques and technologies have come a long way since the early days of rudimentary honeypots.
It's important to communicate to executive leaders, including CISOs, CIOs and other C-level executives, that cyber deception has now become a critical part of active defense, with the potential to deliver significant ROI. The more support from leadership the cyber deception program has, the more likely it is to succeed.
2. Develop the initial cyber deception plan
It's easy to get excited about the unlimited conceptual potential of cyber deception and overlook operational and logistical constraints. Rather than setting overly ambitious goals, however, try to realistically assess available resources and start small.
Then, consult resources such as threat intelligence feeds, incident reports and Mitre ATT&CK to identify likely attack paths and methods. This information should inform where and how teams deploy cyber deception resources to maximize the odds of effectively intercepting threat actors.
The cyber deception plan itself should document the program's goals and objectives; likely threat actors, attacks and attack paths; cyber deception tools and techniques; and measurement and monitoring strategies.
As the plan evolves, make sure to get feedback and buy-in from technical staff and management.
If a decoy looks like a duck, swims like a duck and quacks like a duck, attackers are more likely to believe it is a duck.
3. Implement and integrate cyber deception technologies
Cyber deception technology has made significant strides in recent years, with a variety of commercial and open source options now available. Vet and select the technology that best meets your program's needs, weighing scalability, depth and breadth of coverage, deployment models, management interfaces and automation capabilities. And crucially -- since any deception technology must alert security practitioners to suspicious activity -- prioritize the ability to integrate with existing detection technology and other tool sets in the security operations center.
After selecting deception technology for deployment, security staff needs to carefully set up and configure resources to look and act like their "real" counterparts. Remember that successful cyber deception hinges on psychology and social engineering, as well as technology. If a decoy looks like a duck, swims like a duck and quacks like a duck, attackers are more likely to believe it is a duck. With this in mind, consider also using existing technologies to bolster believability -- for example, setting up deceptive user accounts and email addresses on production systems.
4. Execute the cyber deception plan
After deploying and testing the deception technology and training staff on its use, it's time to begin operations. Cyber deception implementations need constant monitoring, management and maintenance. Real production systems change moment to moment due to daily use, patching and other operational activities. Deception resources must fluctuate similarly, or they will fail to convince attackers.
Additionally, make sure to save monitoring data on a separate, secure system -- not just on the deception technology itself -- so as to have a backup record of events and key metrics.
5. Revisit and revise the cyber deception plan
Periodically assess the effectiveness of the plan, update it to make it more effective and apply lessons learned. Use logs and other records to measure performance and gauge results. Discuss deception resources with relevant security personnel, focusing on any issues they've encountered and suggestions they have for improvement.
Finally, it's advisable to periodically add new cyber deception instances to the environment to detect other types of attacks and find additional threats.
