The UK’s National Cyber Security Centre (NCSC) is inviting organisations to contribute evidence of use cases and effectiveness of cyber deception to support the country’s long-term research objectives. This comes after the UK recently brought together international government partners and the wider UK government and industry for a conference to discuss cyber deception in cyber defence at its headquarters in London.
The NCSC will collect, synthesize and publish evidence from participating organizations and from its own experiments.
As part of this effort, Ollie Whitehouse, NCSC CTO, and Harry W, NCSC Technical Director of Incident Management, identified two primary use cases for the technologies and solutions that add value in cyber defence. These include low-interaction solutions such as digital tripwires and honeytokens that warn of unauthorised access – when deployed by all organisations; and low- and high-interaction honeypots to collect threat intelligence both at internet scale and as discrete instances – when deployed by organisations with mature security operations capabilities as well as managed cybersecurity service providers.
“The motivation behind this event is that we recognize the potential value of using cyber deception technologies and techniques to support cyber defense in certain situations,” NCSC leaders wrote in a blog post on Monday. “We have the ambition to create an evidence base of cyber deception use cases and their effectiveness at a national level to support active Cyber Defense 2.0.”
To build this evidence base, the NCSC plans to collect existing evidence while encouraging large-scale deployment across UK government and critical national infrastructure. The agency is setting specific targets: at least 5,000 instances of low and high interaction solutions on the UK internet over IPv4 and IPv6, 20,000 instances of low interaction solutions on internal networks, 200,000 assets of low interaction solutions in cloud environments, and 2,000,000 tokens deployed.
The NCSC’s intention with this scaled deployment is to build an evidence base that can help answer three key research questions. The agency is seeking information on how effective deployments are at discovering latent compromises within organizations; how effective deployments are at persistently discovering new compromises by threat actors; and whether knowledge of the presence of such technologies at a national level leads to changes in the observable behavior of threat actors.
As discussions progressed, it became clear that the term “deception” has uncomfortable connotations for some people. This is important to be aware of because, while there are broader definitions of cyber deception in military and other contexts, they are different from the technology the agency is addressing under this initiative.
NCSC describes tripwires as components and systems designed to detect threat actors by interacting with them to reveal their unauthorized presence in an environment using honeytokens. Honeypots include components and systems designed to allow threat actors to interact with them to observe their techniques, tactics and procedures, as well as the capabilities and infrastructure they use, and to gather intelligence about cyber threats. Breadcrumbs refer to digital artifacts distributed throughout a system that entice a threat actor to interact with a tripwire and/or honeypot.
“It is also worth noting that we are aware of broader thinking and approaches that aim to generate synthetic behaviors and content with the goal of compromising an adversary’s effectiveness objectives through effects and other means,” the NCSC post continues. “But this is not our focus as these approaches and intentions are outside the scope of our cybersecurity use cases.”
The NCSC is keen to work with public and private organisations in the UK that have implemented solutions. They are interested in the details of what type and use case and scale; how integration and breadcrumbing is carried out; and what outcomes or value the deployment has produced, including but not limited to discovery of a latent breach, discovery of subsequent breaches; and what lasting value and cost relative to budget has been delivered.
Last month, the UK government was on the verge of introducing the Cyber Security and Resilience Bill to Parliament in the coming months, the government’s legislative agenda outlined in King Charles’ speech this week confirmed. The move is designed to “strengthen the UK’s cyber defences and ensure critical infrastructure and the digital services businesses rely on are secure.”
