WiP: Deception-in-Depth Using Multiple Layers of Deception
Jason Landsborough, Neil C. Rowe, Thuy D. Nguyen, Sunny Fugate
TL;DR
The paper tackles the problem that single deception techniques often fail to deter sophisticated attackers. It proposes deception-in-depth across network, host, and data layers by integrating MILDEC concepts, SDN-based deception, host- and data-based decoys, honeypot fingerprinting, two-sided deception, and moving-target defenses into a cohesive framework. Its contributions include a survey of deception methods, a phase-based research plan, and an evaluation strategy leveraging Caldera, MITRE ATT&CK, D3FEND, and ENGAGE, supplemented by a decision-theoretic model with costs and probabilities (e.g., $c_i$, $c_{nw}$, $b_{nw}$, $p_n$, $p_b$, $p_g$, $p_r$) to reason about deception effects. The work aims to enable defenders to slow, mislead, and deter attacker progress on real systems, delivering valuable time for mitigation and strengthening overall security posture.
Abstract
Deception is being increasingly explored as a cyberdefense strategy to protect operational systems. We are studying implementation of deception-in-depth strategies with initially three logical layers: network, host, and data. We draw ideas from military deception, network orchestration, software deception, file deception, fake honeypots, and moving-target defenses. We are building a prototype representing our ideas and will be testing it in several adversarial environments. We hope to show that deploying a broad range of deception techniques can be more effective in protecting systems than deploying single techniques. Unlike traditional deception methods that try to encourage active engagement from attackers to collect intelligence, we focus on deceptions that can be used on real machines to discourage attacks.