Establishing a shared understanding of terms and phrases is the first step towards:
- Evaluating whether deception makes sense for an organization
- Building a deception program from the ground up
- Operating a successful deception program
- Measuring the effectiveness of an existing deception program
Benign positive (alert)
An alert created from activity that was performed by a non-malicious actor. For example, an employee may stumble across and open a
decoy document, resulting in an alert.
Breadcrumb
A piece of information that, while not a
decoy, points towards one or more decoys. For example, an entry in the
/etc/hosts
file on a Linux workstation may point an attacker towards a decoy machine.
Canary
Interchangeable with
decoy.
Decoy
A dummy or deceptive resource designed to mimic a legitimate resource. Examples include decoy documents, decoy machines, and decoy accounts, to name a few. A decoy document is a document that triggers an alert when opened; a decoy machine is a machine that triggers an alert when interacted with.
Evaded (alert)
An alert that never fired because a malicious actor did not interact with a
decoy. For example, an attacker compromises a computer but then never interacts with any of the decoys on that computer.
External reconnaissance
Researching a target from outside their environment. For example, an attacker might look at open job listings for a company's Information Security team to identify gaps in coverage, or to learn which technologies the company uses.
False negative (alert)
The absence of an alert that should have fired. For example, an attacker compromises a computer and opens a
decoy document, but no alert is created.
False positive (alert)
An alert that never should have fired in the first place. For example, a
decoy machine sends an alert despite not having been interacted with in any way.
Honeypot
A type of
decoy left in an easy to find place in order to entice interaction from attackers. Honeypots, believed to be the first example of deception used for security, are often used to learn about what attackers might do if they find what looks like a vulnerable resource.
Internal reconnaissance
Researching a target from inside their environment. For example, an attacker might compromise a machine in a company's network, and use it to enumerate other machines and accounts in the network.
Lateral movement
Pivoting from one compromised resource in an environment to another. For example, an attacker might compromise one user account, perform internal reconnaissance, then compromise and pivot to one or more other accounts.
Precision (alerting)
The fraction of alerts that indicate the presence of an attacker. This can be calculated by dividing the number of
true positive alerts by the sum of:
true positive alerts,
benign positive alerts, and
false positive alerts.
$$\frac{True\ positive\ alerts}{True\ positive\ alerts + Benign\ positive\ alerts\ + False\ positive\ alerts}$$
The higher the precision of a
decoy's alerts, the more likely an alert from that decoy indicates malicious activity.
Primitive decoy
A type of
decoy that other decoys are built from. For example, a decoy domain name might serve as a primitive for a decoy word document; in this scenario, the decoy word document would make a DNS request to the (primitive) decoy domain name when opened, resulting in an alert.
Privilege escalation
A subset of lateral movement that involves getting the ability to do more things within a particular environment. For example, after compromising a "normal" user in a target organization, an attacker may compromise and pivot to an administrative user within that organization.
Recall (alerting)
The fraction of attackers detected by alerts. This can be calculated by dividing the number of
true positive alerts by the sum of:
true positive alerts and
evaded alerts.
$$\frac{True\ positive\ alerts}{True\ positive\ alerts + Evaded\ alerts}$$
The higher the recall of a
decoy's alerts the more likely malicious activity is to trigger it.
Tarpit
A type of
decoy designed to waste an attacker's time. For example, a decoy web application that unnecessarily waits 10 seconds before responding to any request to it.
True positive (alert)
An alert that indicates malicious activity. For example, an attacker compromises a computer, then finds and opens a
decoy document on it, resulting in an alert.