Active Cyber Defence: deception and attacker control (2)

Let’s assume that until now, we have been applying active cyber defence in our environment. We are consuming intelligence, creating intelligence and working in tandem with our security operations teams to outmaneuver the adversary. We have also adopted the cyber kill chain model and other models to integrate intelligence within operations. Also, we are updating and maneuvering the security controls deployed in our organization according to the organization’s threats and their constant evolution, likely using the ATT & CK framework or another to support the effectiveness of our controls.

This is just a high-level overview by no means it is an extensive list of the things to be done. What’s next in this big picture? how does cyber deception integrates, and supports and Active Cyber Defence organization? why do we need cyber deception? how does cyber deception supports cyber detection maturity models such as the pyramid of pain or DML (detection maturity level)?

Until now, we have been able to outmaneuver the attacker updating our security posture to the constant evolution of threats, however, wouldn’t it be desirable to lay ahead of us a road that the adversary may follow rather than letting him make his own decisions and use this situation to our advantage? what would be it be the result of creating a path for the attacker that the defender can control? That is proper cyber deception, according to the JP 3-13 Information Operations [1]; military deception is “described as being those actions executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly forces “mission”

“…seeks to encourage incorrect analysis, causing the adversary to arrive at specific false deductions…”

To understand the basics of this new discipline in the context of security operations we need to look at traditional military intelligence operations an understand how command and control is done through the OODA loop.

What’s the OODA loop?

The OODA loop is a high-level overview of the decision-making process that all humans follow since we wake up to the time we go to bed throughout the day, we are constantly walking in an OODA loop.

OODA stands for:

  • Observe, take information about the environment
  • Orient, make estimates, assumptions, analysis about the situation
  • Decide, determine what needs to be done
  • Act, put the decision into action


Screen Shot 2018-06-09 at 15.24.14

Extracted from Intelligence Operations MCWP 2-10 [2]


What would it be the result of being able to intercept the attacker’s OODA loop? and how does cyber deception supports the interception?

If we were able to penetrate the adversary’s OODA loop we would be able to drive our adversary’s attack to our own convenience forcing him to :

  • To take or not to take decisions based on false premises
  • Disclose his interests and action on objectives
  • Uncover his TTP’s, toolkit and modus operandi
  • To engage him in an active fight to gain access to his objective
  • To increase his operational costs

What are the benefits to the organization?

  • Introduce counter-intelligence in their security operations
  • Increase detection surface and fidelity of the alert
  • Instigate security control changes
  • Highlight risk to management of the scale and sophistication of the threat
  • Impact assessment, based on the attackers observed activity and capabilities
  • Extraction of forensics and tactical intelligence
  • Active incident containment and remediation
  • Provide organization specific tactical and operational threat intelligence
  • Improvement of your intelligence-driven organization


If we were able to successfully deploy cyber deception in our environment, how far have we got?

If we take as a reference David’s Bianco pyramid of pain, we would be looking at the top of the pyramid [3],

Screen Shot 2018-06-09 at 16.15.29


and if we look at another model such as the DML (Detection maturity model) from Ryan Stillions [4], we have placed the organization in the DML 7 and 8 being able to uncover what your adversary is after and how he has got prepared to achieve it.


Screen Shot 2018-06-09 at 16.18.35


How does the deception chain look? what needs to happen in order to deploy a deception campaign within your network?

  1. Design cover story and planning, what are the desired perceptual and cognitive effects we want to implant on the adversary?
  2. Deployment, of technical means that support the deception story
  3. Execution, sync up with your monitoring and threat hunting teams, agree on deception campaign timing and processes
  4. Monitoring, of the technical means and indicators deployed that support the cover story
  5. Reinforce, continue deploying indicators that reinforce point 1 or move forward the deception story to the advantage of the defender in order to force the adversary to take action and uncover the adversary’s OODA loop


The integration with the cyber kill chain and ATT & CK happens during the deployment phase of the deception campaign. At this point, we will deploy indicators that support the campaign across the kill chain.


  1. Reconnaissance and delivery, lure the attacker to believe that they are looking at the target they are after
  2. Weaponization, make the adversary wrongly feel that the organization attacked is vulnerable to their attack/payloads
  3. Exploitation and Installation, mislead the attacker to believe that his exploitation attempts and persistence techniques are working
  4. Command & Control, when the attack is ‘successful’ allow the attacker to believe that he is in your network when he is in fact inside your deception story
  5. Actions on objective, start slowing down and divert the attacker inside your cover story to slowly start uncovering his motivation, modus operandi, and toolkit also continue reinforcing the designed cover story


Screen Shot 2019-04-02 at 13.52.37
Table Extracted from Cyber Deception by Mohammed H. Almeshekah and Eugene H. Spafford [5]


The main purpose of embedding a cyber deception strategy in your security operations architecture is to intercept your adversaries’ attack and OODA loop with the objective to control its path and actions within your network. Furthermore embedding deception in your defensive operations supports an organization’s active cyber defence posture with the acquisition of operational, technical and tactical threat intelligence thus facilitating and driving improvements in your security controls.





[1] Information Operations JP 3-13 (2006)

[2] Intelligence Operations, MCWP 2-10, US Marine Corps

[3] The pyramid of Pain, David Bianco

[4] The DML Model, Ryan Stillions

[5] Cyber Deception by Mohammed H. Almeshekah and Eugene H. Spafford



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s