For a long time, whenever I’ve been thinking about securing systems, I’ve used the following:

  1. Diminish - Reduce your attack surface
  2. Deny - Deny by default, and only create additive rules or permissions from a blank canvas
  3. Deter - Provide banners indicating systems are monitored and automated errors for exceeding rate limits etc
  4. Detect - Ensure that obviously bad actions are detected
  5. Disrupt - Have the ability to drop/redirect traffic based on IP/useragent and any other information
  6. Defeat - Put all required measures in place to remediate the issue
  7. Disseminate - Unpack the issue, learn from it, and share with others so that they don’t make the same mistake (share design principles, best practice, threat models, IOCs, incident knowledge)

Recently, deception has become much more common place in cyber/information security. It’s always been around, and it’s not exactly a new idea in general but I’ve noticed a significant increase in mentions by security vendors. There are not only the usual approaches to creating simple honey pots, and leaving candary tokens/systems around but now there are much more sophisticated commercial offerings that are being marketed.

Deception could be seen as doing a few things but I think that one of the things that I’ve overlooked is delaying an attacker. Deception allows for trickery, redirecting identified attackers to other systems that might be dummy systems or otherwise just waste time - or possibly even confuse the attacker by giving out bad data - something akin to scanner.wtf

Deception does begin with a D, but deception could be said to have a number of advantages.

Of course deception based systems are also vulnerable to attack, require maintenance, and generally add complexity to any setup - but there are ways of reducing the risk, and there is value to be had if you’re running a threat intelligence gathering effort. For example:

  • Decouple what you care about from your deception efforts. This can be done by dropping references, but not co-hosting!
  • Ensuring you have good operational security practices

Wasting time can be done in a lot of ways, here’s a few ways:

  • For HTTP based scanners create infinite loops - incorrectly setup scanners might get caught in the loop
  • Dropping links to systems of no value/honeypots:
    • In robots.txt that just aren’t of value so time is spent looking into those
    • By registering certs with a CA using certificate transparency
  • Identifying badies and then providing random responses from systems that make no sense
  • A bit like anti-forensics, provided data that is encrypted that the attacker might waste time trying to bruteforce the key for
  • Leaving rubbish data around that is meaningless
  • Tarpits
  • Adding time delays into processes that perform actions such as verification of account, or redemption of vouchers/prizes

So my 8 Ds of Defence are:

  1. Diminish - Reduce your attack surface
  2. Deny - Deny by default, and only create additive rules or permissions from a blank canvas
  3. Deter - Provide banners indicating systems are monitored and automated errors for exceeding rate limits etc
  4. Delay - Rate limit, build delays into processes to force a cooling period and allow reporting to catchup - this slows the attackers feedback loop and provide more data to the defender
  5. Detect - Ensure that obviously bad actions are detected
  6. Disrupt - Have the ability to drop/redirect traffic based on IP/useragent and any other information
  7. Defeat - Put all required measures in place to remediate the issue
  8. Disseminate - Unpack the issue, learn from it, and share with others so that they don’t make the same mistake (share design principles, best practice, threat models, IOCs, incident knowledge)

This post is more of a marker to show the date that seven became eight.