Deception Is The Way Of War

By Unknown author - 清宫殿藏画本. 北京: 故宫博物馆出版社. 1994., Public Domain

There has been, for decades, a great deal of focus on the practice of Internet facing cybersecurity. Now, there are substantial resources devoted to aligning findings from those observations to the Mitre ATT&CK™ framework. That's a smart move as a practice. Normalization of terminology and description allows for higher fidelity identification and potential attribution.

The mainstay, stagnant and somewhat traditional relationship associated with cybersecurity analytics is to observe, examine, catalog and then move on to the next encounter. Appropriately, this approach is under scrutiny as a mainline methodology for staunching the bleeding that results from being behind the curve. There's that but here, I'd like to focus on how we can obtain a higher fidelity of initial observations and how that relates to managing risk.  By understanding the trajectory of the threat actor and attacks on production systems there is a well heeled method of managing actors in a way where observations are always understood and encouraged so that mitigation is on point.  The technique and technology of choice for that should be the Honeypot.

Honeypot endpoints and tokens are not new. For the past 20 years The Honeynet Project has worked with the community of researchers and practitioners to develop techniques and lures to test the vast community of threat actors and threats through the use of deception. But Honeypots have been around since the 1980's.  In fact, recently Chris Sanders dropped a very good book on the history and techniques recommended for Intrusion Detection Honeypot implementation and maintenance and techniques.

Honeypots can be a a dream come true for researchers as well as security teams. The amalgamation of techniques, tactics and procedures (TTPs) which are used by threat actors are ever evolving but, the adept team can think ahead and lay the groundwork that can detect and catalog the threat actor and reveal their desires. The use of honeypot techniques can be used to understand external as well as internal threats.

Unlike the predicate for entrapment in a real life policing action, the honeypot is vested, heavily, in the understanding and leveraging of the catalog of TTPs employed in every varying and evolving threat actor engagement. And ultimately intends to reveal mens rea for which a threat actor would be deemed culpable.