This article is the second in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure.
Requirements for authenticity in deception
The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that will be indistinguishable by an adversary from actual assets – including both live production and test environments. While this would seem an obvious consideration, it turns out to be quite challenging technically to build such deception in practice. Except for Attivo Networks, others will attempt to do achieve this through emulation.
The system attribute that best achieves this goal is authenticity, because once a human or automated malicious actor gains access to a planted deceptive system – whether purposefully or incidentally – no evidence should exist that a decoy or trap has been reached. It is also insufficient to suppress only obvious forms of evidence. Subtle indicators of inauthenticity often found in low-interaction, emulated environments are also unacceptable, especially in the presence of a capable adversary.