From “nice to have” to “must have”: the role of Cyber Deception in active defense

The importance of active defense and key role of cyber deception in active defense were emphasized by Mitre Corporation in its MITRE Shield - a publicly available knowledge base on the methods and tactics of attackers that helps information security experts take proactive steps to protect their networks and assets. MITRE Shield uses an active protection approach, similar to the MITER ATT & CK framework, which classifies the behavior of intruders and for a long time used by information security specialists around the globe.

According to MITRE experts, Shield is intended to stimulate the discussion about active defense: “Active defense ranges from basic cyber defense capabilities to deception functionality and operations to interact with attackers. The combination of these approaches allows organizations not only to resist current attacks, but also to learn more about the adversary and better prepare for new attacks in the future.”

The purpose of active defense methods is to prevent the actions of intruders immediately, at the moment of their implementation, or even anticipate them. In addition, active protection includes the collection of information about the capabilities of attackers. This approach can be efficiently implemented for detecting attempts to attack a company's web resources and collecting information about the attacker's tools and techniques.

In its reports, MITRE specialists emphasize: “Incorporating deception into cyber defense can be used to detect malicious activity, control opponents once they are inside, and gather intelligence about their tactics and methods. Strategic use of cyber deception and the exchange of cyber intelligence data obtained in this way can increase the effectiveness of protection and the level of resilience.”

As stated in MITRE Shield, MITRE considers deception functionality as a must in a modern information security stack to fully protect IT assets and control intruders. In new tactics and techniques, deception technologies are central to all eight categories:

• Channel - the direction of an attacker along a certain path
• Collection - collection of information about an attacker
• Contain - limiting the ability of an attacker to go beyond the limits set for him
• Detect - understanding what an attacker is doing
• Disrupt - prevention of actions of an attacker
• Facilitate - help an attacker in performing his actions
• Legitimize - increasing the realism of the deceptive environment to convince an attacker in its reality
• Test - identifying the interests, capabilities, and behavior of an attacker

The document “Getting Started with MITRE Shield” (Authors: Christina Fowler, Bill Hill, Andrew Sovern), for example, outlines six practice cases broken down into three levels:

• Level 1 for those who new to active defense
• Level 2 for those who has some active defense experience
• Level 3 for more advanced cybersecurity teams