Attackers are trying to find interesting things. Give them interesting things. This quote is inspired by Haroon Meer, founder of Thinkst.
I can’t recall if he said this exactly or not in a talk but none the less it’s heavily inspired by him.
Ethical Threat Insight: Making the Case for Deception
I hate the fact that in many (most?) environments attackers have the upper hand.
I say the heck with that…
As a defender, I want the advantage. I want my environment to be hostile territory to adversaries.
I want them to know that I know that they know I see them.
Here are three reasons every organization should be using deception technology as part of their security program.
1 - Deception Increases Defender Asymmetry
Deception helps defenders flip the script on who has the upper hand.
Attackers may be able to strike at their choosing but you as a defender control the battle field.
That’s what asymmetric defense means to me.
It means controlling the environment such that the odds are in your favor.
Deception increases defender asymmetry because it forces attackers to reveal themselves with well designed and intentionally placed: credentials, shares, API keys, admin accounts, etc.
Attackers can’t help but poke at these.
2 - Deception creates operational friction for attackers
Deception can add friction in meaningful ways. shoutout to @Imposecost on X for this phrasing. But it’s not just the cost of wasting their time or burning their tooling. It’s psychological costs too.
Attackers must investigate more artifacts. They waste time validating what is real vs fake. They risk triggering tripwires during all phases of the attack.
They are not worried about being detected once, they are worried each step they take.
More friction = more actions they have to perform = more opportunities for mistakes AND more opportunities for detection
3 - Deception is a great early warning system
Most security tools rely on known suspicious behavior or signatures before an alert is thrown.
The fact of the mater is, many times it can be difficult to determine if said behavior is malicious or not.
What if just the mere interaction with a system or a share or an account could be the alert of malicious activity?
That’s the whole point of deception.
Deception is your early warning system. Well-designed and deployed deception can resemble your tech stack, without posing real risk to the environment.
When a threat actor interacts with that deception system you can alert and block it outright, right then and there. Essentially completely shutting down an attack.
To me, deception comes down to one simple truth. Attackers like interesting things. Use that to your advantage.
Instead of defending every possible attack path, defenders can create high-confidence detection points inside attacker workflows.
Last year I gave a super fun (and funny) talk about how Kevin McCallister used classic deception techniques to protect his house and how you can apply the same principles to detect, delay, deter, deceive and disrupt real-world cyber threats inside your network.
All the best
Spencer Alessi
By the way - I tried to bring the humor in this webinar, I hope you feel it. Reply to this email or comment on the video and let me know. 😅