ArchiveOODA Original

Deception Needs to be an Essential Element of Your Cyber Defense Strategy

This OODA Network Member Only content has been unlocked for unrestricted viewing by Attivo Networks through the OODA Unlocked program which lets community members promote thought leadership to a broader global audience.





In the cyber defense community, we talk about a wide-range of risk mitigating technologies, strategies, and activities.  We talk about attacker deterrence and increasing costs for the attacker.  We invest in endpoint agents, threat intelligence, DLM, and other mitigating technologies on a daily basis.

One of the most compelling emerging use cases for increasing attacker costs is through the use of deception.  Because the term “deception” has negative connotations, it has rarely been mentioned amongst executive teams and boards, but that is rapidly changing as it is demonstrating to be a viable, cost effective, and valuable component of any cyber defense approach.  

According to Gartner Analyst Gorka Sadowksi, deception is:

  • Simple, inexpensive, and it works
  • The only alternative to super-expensive big data analytics
  • A great option for systems not capable of generating telemetry and logs like SCADA and medical devices
  • Has the best signal to noise ratio of any security technology
  • A powerful IOC generator for threat hunting
  • A valuable first line of the detection stack

According to IDG, deception is the second most researched security solution from last year with over 40% of organizations actively researching it and is second only to Zero Trust (47% researching) and ahead of behavior monitoring and analysis.  

Why the interest in deception?  According to our optics, deception implementations are easier than you think, thus reducing friction in deployments while greatly decreasing attacker dwell time.  Deception approaches allow you to utilize your existing security investments and can be integrated into your orchestration, SIEM, and traditional detection and response technologies.  Deception can also allow you to improve the security ROI on your existing investments.  

Deception in cyber can take multiple forms, so let’s review the different ways deception can be used for cyber defense.  For the purposes of this document, we’ll break Deception down into three primary components, loosely modeled on the OODA Loop.

Disrupt Attacker Intelligence, Surveillance, and Reconnaissance

In the process of targeting your organization, attackers will collect and analyze intelligence gathered from public and dark web sources, reconnaissance and probing activity, and observable behavior.  Defenders can use deception to disrupt that process.

Honeypots or decoys can be established as external or internal hosts.  From an external perspective, the honeypot provides targets of attack that won’t impact an organization’s security posture, but will warn of threat actor targeting and collect valuable information regarding threat actor tools, tactics, and procedures (TTP).  This TTP collection can be used to drive detection and response playbooks for legitimate components of your information technology infrastructure. Internal honeypots provide the same advantages, but with less noise as perpetrators of malicious targeting are drawn from trusted insiders or attackers masquerading as insiders on the network.  Properly configured, honeypots can have very low false positive rates as these are not systems used by normal users, so any activity is indicative or a security or configuration incident.  Additionally, this and other deception tactics allow defenders to study the adversary while disrupting them allowing for more granular attribution to feed their risk management models.

Fake credentials can pollute the attackers kill chain as they attempt to use a “stolen” or discovered credential that has no legitimate purpose and is thus easy for an organization to monitor for activity associated with it.  For example, a forum post on a technology provider’s support site can be seeded with a false address and email destined for those addresses can be filtered into your threat intelligence processes. Additionally, credentials can be seeded into authentication directories and attempts to utilize them closely monitored as an indicator of an attempted or successful attack.  This is especially effective when the fake credentials offer up the potential to be used as VPN credentials, luring an attacker into an unsuccessful attempt to establish VPN connectivity.

Software versioning, headers, and other contextual information can also be changed to misdirect attacker priorities or cause them to attempt exploitation under false pretenses.  This information can not only disrupt human attackers, but can also serve as an early detection mechanism for automated attacks like ransomware. For example, magnet systems on your network can be designed that attract expected bad behavior and provide a quick warning that ransomware or other malware is on your trusted internal network.  On the negative side, you will have to manage how this false information impacts the efficiency of automated asset management and vulnerability scanning software, potentially through the use of white listing.

Disrupt Attacker Decisions

Attackers and defenders both operate within an OODA Loop, but as Black Hat and Def Con founder Jeff Moss remarked in August 2019, attackers can close their OODA Loop as they know that an objective was accomplished, whereas cyber defenders might not be able to close their decision loop as they could be making decisions with incomplete information.

Deception in cyber defense can disrupt this dichotomy as the defender can introduce false certainty into the attacker’s OODA Loop or force them to engage actions prematurely.  Consider this real case study from a multi-billion dollar international company:

The company discovers an indicator of compromise and a quick clandestine investigation determines that there is a massive breach within their global network.  Due to poor telemetry and security tooling, the organization is also blind as to where attackers have established footholds in the network. In order to get rapid insight that can drive their investigation and response efforts, the company decides to feign the first elements of a breach response by sending out an email (likely to be read by the attackers) detailing the first phases of an incident recovery plan including the wiping and rebuilding of critical elements of the infrastructure.  The attackers, convinced the timeline for their operations has been significantly decreased, engage in “noisy” activity and the network defenders vector in on them as part of their legitimate response. While unconventional, by feigning a particular decision and course of action, the defenders were able to convince the attackers that they had more insight into the extent and nature of the compromise than they realistically possessed.  

Disrupt Attacker Actions

The last category of deception is focused on disrupting attacker actions not only during the actual compromise but actions based upon compromise itself.  Most deception technologies allow you disrupt attacker actions directly in the kill chain. However, there is a class of deception based around actions made on stolen information.  In its simplest form, decoy documents can be seeded and tracked to divert and detect and attacker, but there are times when a more strategic form of deception can be utilized. For example, consider the following case study:

A large resources company is negotiating the sale of a valuable asset overseas.  To gain an upper-hand in the negotiations, attackers breach the company’s IT systems to obtain confidential internal communication around the transaction.  The company, having detected the breach, decides to upload false information on a server the attackers have access to. That information is acted upon by the malicious purchaser to their disadvantage in the negotiations.  In this example, the defenders accepted additional risk by tolerating the intrusion to disrupt the attack benefactor’s decision cycle. While it doesn’t serve as a perfect example, it does demonstrate active defense aspect of deception given the false information existed only within the company’s internal network.

The Time for Deception is Now

Regardless of your industry, deception can play a role in your cyber defense strategy.  It is important to discuss what active deception architecture can be put in place, but also develop policies around how deception can be used during an active compromise.  Decision-makers should also engage in table-top exercises and red team engagements to test their deception technology stack. Deception technologies have emerged as a cybersecurity market sector, so review the latest state of the art to identify cost-effective and simple solutions to deploy.

Organizations should also make an effort to understand how attackers might view them and what goals they have in targeting your network and systems.  For additional insight, please visit:

OODA Threat Profiles

Russia 2020 – What Will Putin Do Next?


Putin’s Cyber OODA Loop is Tighter Than Yours

Cyber Sensemaking – Essential Observations for the Next Five Years


Matt Devost

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see