How to use cyber-deception in your security strategy

Cyber deception has been around for years as an effective means to play adversaries at their own game. But recently, the area has become more important in the face of risks fuelled by technology such as AI and other novel threats.

So much so that the UK National Cyber Security Center (NCSC) is partnering with firms to help build a nation-scale evidence base for cyber deception. Based on progress over the last year, the organization said it has discovered “a compelling case for increasing the use of cyber deception in the UK”. However, firms are facing several barriers and risks, according to the NCSC.

What exactly is cyber deception, who should use it, and how can firms include the area as part of their security strategy?

A clear signal

Cyber deception sees the use of decoys such as honeypots and fake credentials that look and behave like the real thing. The goal is to give attackers something believable to interact with so defenders receive “a clear signal when something is wrong”, says Katie Barnett, director of cyber security at Toro Solutions.

For example, firms might create a decoy account that no legitimate user would ever access. “If the account is touched, it is a strong signal that something malicious or unauthorised is happening,” Barnett explains.

The idea is to create a series of “high-fidelity decoys and lures” that look like they are real targets, adds Andy Swift, cyber security assurance technical director at Six Degrees. “Those targets could take the form of a fake server, database or domain controller – or simulate live RDP or SSH connections so the network appears to be active. Some will even populate end devices with fake data, passwords and keys.”

When used optimally, cyber deception can be very useful. It provides an early warning of compromise and helps surface activity that would otherwise stay hidden, says Barnett. “It is particularly effective at detecting lateral movement and credential misuse where traditional controls often struggle. There is also a defensive benefit in forcing attackers down false paths, which wastes time and undermines their confidence once they realise the environment cannot be trusted,” she tells ITPro.

Cyber deception is available in several forms. There are both open source and commercial products available offering “plug-and-play” deception capabilities that operate as configurable honeypots. “These tools can reduce the effort required to deploy deception and make it more accessible to organizations without specialist skills,” says Barnett.

However, they still require careful placement, tuning and ongoing maintenance to ensure the decoys remain realistic and the signals generated are “meaningful and actionable”, she warns.

Cyber deception pitfalls

Cyber deception is certainly useful, but there are pitfalls firms should avoid when including the area in their strategy. The biggest mistake is deploying deception without being clear on the outcome, says Barnett. “If you cannot explain what success looks like, whether that’s faster detection, higher-confidence alerts or reduced dwell time, it becomes difficult to measure value or justify keeping it in place.”

At the same time, because deception uses real assets as resources, without careful consideration, it can be possible to introduce new vulnerabilities in an environment: “The very opposite of what you sought to do,” says Andy Smith, CEO and co-founder of Tracebit, which is partnering with the NCSC in its ongoing cyber deception trial.

Meanwhile, careful tuning can sometimes be necessary to prevent internal automated systems from producing noise and false positives, he warns.

In addition, poorly designed decoys can be “easily fingerprinted and subsequently avoided” by attackers, says Swift. “There are tools in active use today that automate this detection process, reducing wasted effort on the attacker’s part. Even well-intentioned decoys can fail if they are misconfigured; they must look and behave like genuine assets and be contextually relevant to the organization in order to remain believable.”

It’s also important to note that the area must be actively managed to be useful. Cyber deception only works if you’re ready to monitor it and respond when malicious activity does occur, says Michael Clark, senior director of threat research, Sysdig. “That means it’s best suited for organizations with mature security programs in place and it is not a replacement for traditional controls.”

Best approach for benefits

In order to start using cyber deception in your business, start with some “low-cost, easy-to-deploy techniques” that offer earlier warning with very little operational burden, Rik Ferguson, VP security intelligence at Forescout suggests.

He advises leaders to start with simple ‘tripwires’: "Place a small number of ‘canary tokens’ across the places an intruder will naturally browse, such as shared drives, SharePoint or OneDrive libraries, old project folders, and repositories that hold diagrams and runbooks.

“Use URL and DNS tokens, and add one or two beaconed documents named like realistic targets. Make sure any alert lands somewhere your responders actually look, and ensure it includes enough context to act quickly: Which token fired, where it lived, and who and what accessed it.”

Alongside tripwires, add basic monitoring around data movement in “a few crown jewel locations”, because staging and exfiltration often come before the loud part of an incident, adds Ferguson. “Enable alerts for bulk reads or downloads, unusual spikes in access, mass rename or delete patterns, and new external shares or public links.”

Then place one or two decoy files with embedded canary links inside those locations so you get a high confidence signal when someone is browsing with intent, he advises. “The data movement alerts will provide the surrounding context.”

Cyber deception can help boost security, but the biggest gains come when it is layered on top of a solid foundation. It should be used alongside strong vulnerability management, posture assessment and threat detection, according to Clark. “With those in place, organizations can deploy honeypots and honeytokens across cloud and on-prem environments. Like secrets, these assets need to be tracked and rotated to maximize their benefits.”

At the same time, while it might seem counter-intuitive, don’t keep your plans a secret. Communication internally about deception is “surprisingly important”, says Smith. “We advise our customers to at least let their teams know that some deception is being deployed.”

When starting out, focus on real threats to your business and how deception can help, Smith advises. “It could be data exfiltration in your cloud environment or a supply chain attack on your developer laptops.

“Deception can help with many of these risks, so it’s worth prioritizing accordingly.”