Lesson 11: You can’t change human nature.

It is a fact that human is the weakest ring of the chain in cyberspace. No matter how secure the network, applications and whole system is, humans can be deceived by simple social engineering attacks. And very large corporations can be breached liked this. But there is another fact that we forget: Attackers also human and they have weakness due to human nature.

We can think the relation between attackers and defenders as a game. Humans learn opponents assets and moves. After that they calculate/think responses during the games for choosing best option. There are two important processes:

A player knows how well the opponent learning and thinking process, and if he acts according to it, the player has a better chance of winning the game. But attackers have natural advantages in this game.

  1. Time - Attackers have enough time for reconnasiance and implementing attacks
  2. Ubiquity - Unlike the defenders we can't know where is attackers in cyberspace
  3. Public vulnerabilities - Attackers have the ability to use public exploits so easily

Besides theese, defender knows their infrastructure better and can manage that.

If defenders exploits opponents learning and thinking process with using different methods, they can win this hard game. Also according tho the methods used, the techniques tactics and procedures of attackers can be revealed.

In this article I am trying to explain Deception term for exploiting two important procesesses. Also in the next posts I will implement a lab for intrusion detection with practical deception.


All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder, and crush him.
Sun Tzu

Deception is "Planned actions taken to mislead and/or confuse attackers and to thereby cause them to take (or not to take) specific actions that aid computer-security defenses".

As understood from the definition above, deception is a tool that can be used to exploit learning and thinking processes by giving attackers wrong information about the system, directing them to fake interfaces, and engaging them with unrealistic targets. For theese purposes we can use honey-files, honey-credentials, fake sites, artificial ports, fake service banners and honeypots.

Killing the Kill Chain with Deception

The general behavior pattern of attackers is similar. Firstly, they gain information about target and they choose best tools and tactics with this information. After that they deliver attack vector to the victim. And they move laterally and vertically from exploited assets for completing real mission. Even though there are a lot of definition in kinetic and cyber world for this pattern, the term Cyber Kill Chain widely known. Cyber Kill Chain was created by Lockheed Martin in 2011 for defining attackers actions formally.

We can use these scenarios for different phases in Cyber Kill Chain.

  1. Create fake whois record with e-mail and phone number
  2. Intentionally use some fake e-mails at social media
  3. Attackers will find and use for phishing these e-mails
  4. Reply spam mails with fake and random word attached mails
  5. Collect attackers information with mail and word document

  1. Create artificial well-known ports and services on production server
  2. Change service banners with old and vulnerable one
  3. Add or change OS information in HTTP responses
  4. Change OS TCP behavior for avoiding/deceiving nmap OS detection
  5. Attackers will use wrong exploits and payloads with these fake data
  6. Record all traffic to artificial assets

  1. Create fake websites in different ports
  2. Attackers may fuzz directories and scan vulnerabilities
  3. Open directory listing with some fake files
  4. Attackers may download some files and execute them
  5. And record all traffic to fake websites

  1. Create fake domain users in Active Directory
  2. If someone use it generate alarm

  1. Add fake,non-privileged users with hard password to linux boxes
  2. If attackers compromise a machine and gain hashes they waste of their times for cracking useless hashes

  1. Create fake files seems important like PII or credit card information
  2. If someone touch these files generate alarm

This article is only basic introduction for using deception as a defence mechanism in cybersecurity. But as I mentioned before, in the next posts I will trying to implement a lab called Labyrinth in Amazon Web Services. I am going to collect new methods and scenarios synchronized with Cyber Kill Chain's steps. And I will test these method's intrusion detection capabilities. I will use Windows domain environment, Linux servers and some kind of services(Nginx, smb, ftp, tomcat) in lab. And i will collect, correlate and visualize with ELK stack.

Pros and Cons

Although deception may seem very beneficial theoretically, methods can be too risky to be used on live systems. In addition, the installation and management of these systems can put a lot of workload on the security team. Since i have not yet tried it in practice, I can't predict the consequences it may create, but i have listed some pros and cons as follows.

Pros Cons
Slow downs attackers Extended Attack Surface
Increases detection rate So much operational workload
TTP Extraction
Attribution and Counter Intelligence & Attack Ability

I will be very happy if you can share your thoughts about this article or the shortcomings you see.


[1]  Reverse Deception

[2]  Cyber Security Deception

[2]  Kelly Shortridge's Blog