Deception by DesignDeception by Design

Occasional essays on the art, science and psychology of deception and counterdeception.

Simon Henderson is an independent deception consultant working in the UK and the US.  His career has involved researching, teaching, and consulting on deception, counter-deception, information operations and cyber operations within a variety of government, military, and law enforcement organisations.  He is a keen student of magic and is passionate about novel and pro-social applications of deception.

Design Thinking for Cyber Deception

By Simon Henderson on

The past decade has seen an explosion in the number of vendors supplying cyber defence systems based on deception. The majority of these systems generate adaptive decoy networks and assets that lure attackers into increasing the time they spend exploring and analysing the (false) networks they attack. Meanwhile, covert instrumentation collects data about the attacker’s capabilities and methods, leading to actionable threat intelligence that can inform the design of stronger defences.

The breadth of deception reflected in these systems is usually limited. Most employ mimicry to portray false networks and assets, and use masking or repackaging to conceal their instrumentation. Seemingly, the more expansive set of deceptive strategies that defenders could potentially use to manipulate attackers (and their tools) remains unexplored.

The multitude of suppliers gravitating towards a common and limited set of deceptive strategies perhaps suggests a lack of awareness about the true scope of opportunities that deception provides. How, then, might cyber defenders innovate to generate a broader repertoire of deceptive measures to counter attackers? There are many approaches, but one that is often highly effective is to seek inspiration from the patterns of deception that occur in other (non-cyber) domains.

At the beginning of 2021, I participated in a design thinking workshop organised by Professor Debi Ashenden (University of Adelaide), Robert Black (Cranfield University), and Iain Reid (University of Portsmouth) that explored how deception in other disciplines can provoke the design of new forms of deceptive network defence.

Provocations included:

  • Japanese castle defences.
  • Code ‘smells’ in software engineering.
  • Sliding doors.
  • Gang graffiti and tagging.
  • The plot of an Indiana Jones action-adventure film
  • Deception for physical safety.

Workshop participants came from academia, government, a cyber deception technology company and independent defence and security experts. Topics addressed included risks, opportunities, and threats; measures of success; and limitations. The workshop resulted in a journey map that detailed considerations for operationalising cyber deception based on techniques drawn from other contexts.

A paper describing the workshop and its outputs was presented at the 54th Hawaii International Conference on System Sciences (2021) and is available here.