From the start, the group talked about why an organization would leverage deception. The group agreed that one major reason would be because attackers are using it. Tactics like IP spoofing and phishing attacks all rely on deceptive tactics and it’s important for security professionals to be able to use some of the tactics levied against them and use them to gain the upper hand. The conversation then moved to how security teams can leverage deception from a NIST cybersecurity framework perspective and how security teams could potentially divert attackers from critical resources and information. Some objectives discussed for leveraging deception in your security strategy included things like having hi-fidelity alerts, being able to detect lateral movement on a network, and being able to collect intel on attackers.
No discussion about deception can go too far without examining the notion of deception as a method of active defense. This lead the group to have a conversation on whether or not security teams should be hacking back. While opinions on this method varied, the table agreed that it can be part of an active defense strategy, but it is something that should never be taken lightly as attribution can be hard to verify.
Finally, the group talked about deception use cases. Some members of the table shared stories about how leveraging deception had greatly improved their overall visibility and give them an inside look at how to better defend critical assets and applications on their network. Group members from the medical and energy fields, shared the benefits of deception on key devices connected to their networks that traditional endpoint security can’t cover. While the group agreed that there were a number of benefits to applying and using deception technology, they also agreed that at the end of the day, it is another piece of technology. For this solution to work effectively, it also requires the appropriate balance of people and processes as well. To round out the discussion, the moderator shared a very fitting Sun Tzu quote: “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”