Effective cyber deception

Abstract

Cyber deception may be an effective solution to exposing and defeating malicious users of information systems. Malicious users of an information system include cyber intruders, advanced persistent threats, and malicious insiders. Once such users gain unobstructed access to, and use of, the protected information system, it is difficult to distinguish between legitimate and illegitimate users. We view cyber deception as comprised of two broad categories: active deception and passive deception. Active deception proactively applies strategies and actions to respond to the presence of malicious users of an information system. Actions of a malicious user are anticipated prior to their execution and counter actions are predicted and taken to prevent their successful completion or to misinform the user. Active deception may employ decoy systems and infrastructure to conduct deception of malicious users and sometimes assumes that a malicious user has already been detected and possibly confirmed by sensing systems. Passive deception employs decoy systems and infrastructure to detect reconnaissance and to expose malicious users of an information system. Decoy systems and services are established within the protected boundary of the information system. Interactions with decoy systems and services may be considered suspicious, if not conclusively malicious. Since reconnaissance and exploration of the information system are the first steps in the process of attacking an information system, detecting reconnaissance enables an active defense system to quickly identify a malicious user and take action. Like active deception, passive deception can provide misinformation to the malicious reconnaissance. We argue that effective cyber deception includes both active and passive techniques.