Deception in defense predates computing, yet each generation of attacker tooling has forced defenders to invent fresh decoys to keep their edge. From WW2 misdirection to today's decoy AI-agent configurations, every iteration of the toolkit makes attackers waste effort on things that aren't real.
I’ve been pondering the use of deception and variability to defend IT assets. Honeypots have been discussed in this context for quite a while, yet their initial implementation failed to take off as mainstream components of a security architecture. Now that some time has passed, new ways of utilizing deception for safeguarding enterprise environments are making such approaches more practical. This area is ripe for innovation.
Getting Started: Non-Computer Deception
Looking at how deception was used during World War II can set the stage for considering how to employ such tactics. According to a paper by Donald J. Bacon, Allied Forces confused and misdirected the enemy by incorporating ambiguity and misdirection into their operations. The paper also attributed many Soviet victories during the war to the full integration of deception into operational planning and execution. These are just some examples of the many times when deception was used in warfare before the age of modern computer systems.
Early Examples of Deception in Computer Security
A historic perspective on the use of deception for computer security comes from the account of Gene Spafford of his work during 1989-1993. Gene described the “active defenses” he employed to identify attacks in progress, slow down attackers, learn of their techniques and feed them fake data. His approaches included:
- Fake user accounts that had access to fake data that was kept current
- “Bait” files that looked attractive to intruders, but weren’t accessed during normal operations
- Service emulators that would process connections very slowly and generate fake errors
- “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded
- Altered programs that, when used by the attacker, included beacons and other unexpected features
Gene stated his belief that “too few defenders these days build forensics capture into their systems to help identify intruders. They also don’t have active defenses, countermeasures and chaff in place to slow down attackers and provide more warning of problems.”
Deception on the Network
Many of the deception techniques discussed by Gene were implemented later through the use of honeypots. Around 1999, the Honeynet Project came into existence, infusing innovative thinking into such ideas and approaches to discovering attacks and learning about attackers’ capabilities.
The most comprehensive commercial product in this space at the time was probably ManTrap by Recourse Technologies. Symantec acquired the company in 2002 and discontinued the product a few years later.
The idea of honeypots faded into the background for a while. People were reluctant to deploy them on production networks due to support costs, risks and low perceived value. Yet, people continued to develop free specialized honeypot tools such as Dionaea for malware capture, Cowrie for SSH, and INetSim for network-service emulation.
A generation of commercial network deception technologies emerged from companies such as Thinkst and Acalvio, positioned as ways to detect adversaries’ lateral movement through the organization. Industry analysts began paying attention, though much of the early discussion focused on network-based applications of deception.
The increased use of cloud-based services might make it easier to utilize network deception in the enterprise. A few years ago, Mike Rothman described the idea of HoneyCloud, which would be used to deploy network deception elements into a private cloud to minimize production risks. Moreover, the biggest advantage of cloud technology is its elastic capabilities that, combined with support for automation can allow an organization to integrate deception capabilities into the fabric of its IT operations. Some network deception vendors incorporate this notion into their products.
Deception at the Host
Deception principles can be incorporated into a modern enterprise security architecture in a manner that goes beyond honeypots. For instance, you can plant honeytokens such as decoy URLs to catch attackers as they perform reconnaissance on the web server.
While the scenarios above focus on using deception to detect attacks and slow down the adversary, Minerva Labs (later acquired by Rapid7) used deception principles on the endpoint to prevent intrusions altogether. Minerva fooled evasive malware into crashing or refusing to infect the system by simulating the presence of forensic tool and sandbox artifacts, so the specimen would shut itself down rather than risk being analyzed. This approach uses deception against malware automation, rather than against a human adversary.
Here’s another host-based deception approach: Some malware, such as ransomware and remote access trojans, is programmed to avoid infecting the same system more than once. By generating the artifacts that the specimen uses to determine whether it’s present, defenders can fool such malware into “believing” that it’s already on the endpoint and terminating itself. This concept is known as malware vaccination.
Deception as Part of Enterprise Security Architecture
Deception possibilities go beyond the network and host-based examples outlined above. For instance, creating a decoy user account and setting up an alert when it gets used is a way to use deception for detecting a possible compromise. In another scenario, honeytokens can be set up as decoy documents to detect an intrusion. Newer surfaces extend the same idea, including decoy MCP servers planted in AI-agent configurations to catch attackers pivoting through an employee’s tooling. Even the notion of a honeypot persona is starting to sound less strange.
Even if we limit ourselves to looking at deception on the network and at the host, we can see that deception approaches are starting to progress beyond the early ideas proposed by Gene Spafford. Cybersecurity practices have evolved to make room for incorporating elements of deception onto the broader security architecture. Local and remote computing capabilities allow for use cases that would have been impractical a decade ago. As the result, enterprise-focused deception vendors are finding ways to incorporate their capabilities into the overall IT infrastructure.
One of the lessons in the use of deception during World War II is that to be successful, such efforts cannot be silo projects. They have to be centrally managed and integrated into the fabric of IT operations.
