The UK's National Cyber Security Centre (NCSC) is calling for industry comment on the use of cyber deception in cyber defense.
The center said it recognizes the potential value of using cyber deception technologies and techniques to support cyber defense in certain situations. And as a result, it's aiming to establish an evidence base for use cases on a national scale, in support of its Active Cyber Defence 2.0 initiative.
As a starting point, the NCSC sees two main use cases. The first is low-interaction solutions such as digital tripwires and honeytokens to alert organizations of all types to unauthorized access.
The second is both low-interaction and high-interaction honeypots to collect threat intelligence both at a large scale and as one-off instances, which it sees being deployed by organizations with mature security capabilities, as well as managed cyber security service providers.
"During discussions, it became clear that ‘deception’ has connotations which can be uncomfortable for some," the NCSC explained.
"It is important to acknowledge this, and although there are wider definitions of cyber deception in military and other contexts, they differ to the technology we are referring to here."
By tripwires, it means components and systems designed to detect a threat actor by interacting with them to disclose their unauthorized presence in an environment which include honeytokens.
Honeypots, meanwhile, it defines as "components and systems designed to allow a threat actor to interact with them, allowing observation of their techniques, tactics, and procedures (TTPs), as well as the capability and infrastructure they use – with the aim of collecting cyber threat intelligence".
Finally, breadcrumbs are described as digital artifacts distributed in a system that entice a threat actor to interact with a tripwire and/or honeypot.
The NCSC wants to see more honeypots and deception techniques
Evaluate your patch readiness and assess potential solutions
The NCSC said it plans to collect existing evidence, but also to encourage the use of these techniques across the UK, including in government security operations and critical national infrastructure.
It's aiming for 5,000 instances on the UK internet of low and high interaction solutions across IPv4 and IPv6, 20,000 instances within internal networks of low interaction solutions, 200,000 assets within cloud environments of low interaction solutions and 2,000,000 tokens deployed.
There are three core research questions it aims to examine:
- How effective are deployments at supporting the discovery of latent compromises within organization estates
- How effective are deployments at supporting the enduring discovery of new compromises by threat actors
- Does knowledge of the presence of such technologies at a national level actually affect the behavior of threat actors?
Honeypots are already being deployed across the UK, allowing organizations to detect where cybercriminals are coming from, the level of threat, their preferred tactics, and the data or applications they're interested in - as well as how well existing cybersecurity measures are working.
Last year, for example, the National Grid said it was looking to award a £1 million contract for honeypot technology, and it's widely used by law enforcement.
