A Systematic Approach to Cyber Deception (Part 4 of 4)

A Systematic Approach to Cyber Deception (Part 4 of 4)


  • Part 1 introduced three phases of Cyber Deception Campaign & highlighted 4 considerations related to Industrial Networks: (1) Safety, (2) Availability, (3) Realism, & depending on our strategic goals, (4) Secrecy that we should be mindful throughout the planning & execution.

  • Part 2 focused on planning & measuring success. To address "realistic" for who or which type of Threat Actors, I proposed an "estimation" of Threat Actors based on ability to maintain Operational Security.

  • Part 3 illustrated examples of simulation vs dissimulation, for two types of strategic goals: luring & early deterrence/diversion.


This last part is longer than the rest, but in short:

  • Use in-house training network as Honeynet
  • Add COTS Deception to sieve out novice to intermediate actors
  • Plan & implement customised non-system-level decoys for advanced actors
  • Estimate Threat Actor types based on COTS Deception alerts & access patterns of custom decoys
  • Link host & network telemetry to trace paths of multiple Threat actors within the HoneyNet

First things first before getting into the details of HoneyNet:

  1. Advanced Threat Actors can get around COTS Deception Products
  2. Disrupting attackers' Reconnaissance is key to success
  3. There can be multiple attacks by different Threat Actors

Getting Around COTS Deception

 Advanced is a subjective because it depends on what kind of "yardstick" we are using as a relative comparison. Beyond the ability to be very evasive as part of maintaining their OpSec as shared in part 2,  asfds-820x420.png

Advanced actors also have the resources to buy COTS Deception products for tear-down & know-how to reverse engineer for weaknesses.

Advanced actors can infiltrate service providers, software vendors, suppliers & narrow down to the right people as targets. Look at FireEye (Managed Security Provider), SolarWind, Opensource software components & Jeff Bezo's phone hacking incident.

Tripping COTS Distributed Deception Defence is a form of OpSec failure that Advanced Threat Actors would have likely avoided. 

Reconnaissance, fancy word for Info-Gathering

Disrupting Information Gathering gives us Early Warning signals. Attackers can complete objectives without "attacks" with mis-configured databases that are exposed on the Internet. The longer path goes through the client-network zones before reaching critical server-zones:


Triangles represent the necessary & sufficient conditions of Cyber-Physical attacks. Managing one or more conditions of combustion reduces the risks of fire. Likewise, we mitigate attacks by dealing with one or more of the conditions related to any successful attacks.


We patch systems to address System Susceptibility & enforce access-controls to deal with Threat Accessibility. We can't really stop attackers from figuring out new exploits (Threat Capabilities), but we can certainly trick them to use old ones.

External vs Internal Reconnaissance

What we can find outside the target network will differ from probing within. After gaining a foothold, attackers stay within networks for further Internal Reconnaissance.

How can these so call Advanced actors get around COTS Deception?

With a network blueprint, why bother with decoys, just go straight for the targets.

A leaked by 3rd party IT supplier (e.g. backup solution provider) will flush all that investment & effort down the drain.

Be very sure of who are in possession of your network topology, guard them!

Multiple On-Going Attacks

Novice Threat Actors favor active scanning. They watched some YouTube tutorials, all fired up with their new Nmap kung-fu. Some are silly enough to scan directly, the smarter ones use VPNs, proxies & what not. How they go about gathering information is a matter of Threat Capability, one of the 3 triangles within the Attack Life Cycle diagram shown earlier.

Advanced actors? They may have already infiltrated various product vendors, including security products & managed service providers (who watches the watch-dog?) to know which company is using what.

Attackers don't take queue numbers to attack networks.

There can be multiple ongoing attack campaigns within any networks. How to deal with different attackers within the same network? Let's revisit goals setting!

It's ALL about SMART Goals

The strategic (sustainable long-term) goals with this approach are to lure, deter & divert different attackers in parallel. These goals need to be S.M.A.R.T:

What are the attributes?Why it matters?
Specific to your networksUnambiguous goals to lure attackers to gather specific intelligence to improve production networks.
Measurable Deception CampaignWithout a planning framework, we can't measure success & zoom into areas of improvements
ActionableSo that we are clear with what to do with the alerts & new information, to reach specifically defined goals
RealisticEspecially for HoneyNet to gain actionable & specific intelligence
TimelyFeedback should be near real-time for necessary actions to be taken quickly because attacks can progress quickly

Sounds good, but how?


Training Network as HoneyNet

Researchers & deception product vendors try very hard to create realistic simulations, but a training zone for most Operational Technology network is about as real as it gets:

  • There are human activities (e.g. from the trainees)
  • Configurations are likely similar to production
  • Typically not (directly) connected to production networks
  • Better to practice while training; get a glimpse of an unprepared future

We deploy COTS Deception product within the training network, along with customized Informational (non-technical) decoys that are organisation-specific to bait intermediate to advanced threat actors.

Custom Informational Decoys

Modern COTS Deception products ease the deployment of diverse technical traps for prevailing TTPs. These products rarely cover informational decoys that are specific to your organisation. We can estimate Threat Actors by monitoring COTS Deception alerts & access to custom decoys:


We highlighted briefly within part 2 that estimation is only as good as the Feedback Monitoring channels.

Feedback Monitoring Capabilities

Finally, what are the desirable attributes so that we can estimate Threat Actors?

  1. Multiple layers of monitoring; minimally host audit & network forensics
  2. High-availability with channel fail-over alerting
  3. Real-time linking of host & network data-sets to trace alerts back to external Command-&-Control (C2) servers

The first two are pretty standard requirements for most network threat monitoring. Let me use an illustration to explain the third point:


This is how OpenEDR (written by me, coincidentally ComodoSecurity has another OpenEDR) represent an end-to-end RDP session flow between FANLESS-PC (let's say a jump-point within the HoneyNet for admin-bot to issue scheduled maintenance commands) to DESKTOP-O153T4R (uses Domain Admin credentials which many Threat Actors are after).

We can see from the left, the entire path starts off with input actions (from the bot) & ultimately leads to the Remote Desktop Service process on the right. Suppose some Threat Actors can also monitor this on FANLESS-PC as the initial foothold & wants to move laterally to DESKTOP-O153T4R. S/he WILL need to use a hidden background process since there is an active 'user' on the terminal.

When that happens, we will capture a hidden process (without Input events linked to it) that has BOTH outbound & lateral network-communication events linked to it. We call such process 'pivots'. Instead of just looking at a host machine as pivot, we zoom into process-level.

Real-time linked data-set allow us to quickly trace back to external actors' C2 servers.

Detect ANY process-to-network anomalies without relying on external "signatures" or feeds.

Beyond monitoring the access to customised decoys, we also profile customised HoneyNet to enumerate all foreground (user-interactive) processes that are communicating to external destinations (e.g. some Internet sites to make it look realistic).

The HoneyNet SHOULD NOT be silent, we simulate activities & profile to capture Intersections A, B , C & the rest of the Host Processes:


User-Interactive or Foreground Processes (A)

  • Accepts user inputs but do not communicate on any network (e.g. calculator app, something is wrong when a hidden one does...)
  • These processes are usually created after Explorer.exe, the main interface for users after a successful sign-in with Windows

Foreground Processes with Network Activities (B)

  • These processes communicate outbound to Internet or laterally within Intranet
  • Email-clients & Web-Browsers are such processes & tend to receive malicious payloads

What happens after malicious payloads run?

Background Processes with Network Activities (C)

There are other background processes that are part of the initial code-execution. One or more of such processes will communicate on the network. Pivot-processes that we are after are in this set. We minimise the number of benign pivoting processes to reduce the opportunity for malicious code injection into such processes.

With this approach, hidden processes from whatever exploit techniques become apparent anomalies.

Wrap UP

We need to be mindful that:

  1. Advanced Threat Actors can get around COTS Deception Products
  2. Disrupting attackers' Reconnaissance is key to success
  3. There are simultaneous attacks by different Threat Actors

COTS Deception are useful but to deal with different Threat Actors in parallel:

  1. Use in-house training network as Honeynet
  2. Use COTS Deception to sieve out novice to intermediate actors
  3. Plan & implement customised informational decoys for advanced actors
  4. Estimate Threat Actor types based on alerts & access patterns of custom decoys
  5. Link host & network telemetry to trace paths of multiple Threat actors within the HoneyNet

Thank you for following this series!