RECAP: Discussing deception with Chris Sanders

RECAP: Discussing deception  with Chris Sanders
Rick Holland
Read More From Rick Holland
September 24, 2020 | 3 Min Read

When I was a Forrester Research analyst, I had some strong opinions on deception technology. Approximately five years ago, I wrote, “Organizations that think they are ready for deception, are only deceiving themselves.” So when I saw my friend (and BBQ brother), Chris Sanders announce the release of his latest book, “Intrusion Detection Honeypots: Detection through Deception,” I knew we had to get him on our ShadowTalk podcast with Kacey and Charles and me to discuss further. You can listen to the episode here.

Source: https://twitter.com/chrissanders88/status/1300793953780981761

Chris interviewed over eighty people while researching for the book, and he covers fifteen deception techniques in it. He highlighted three deception techniques in our interview: 

  1. Injecting credentials into memory 
  2. Honey documents
  3. Honey services 

He convinced me that my previous assessment of deception needed to evolve and that it can be a useful tool in defenders’ arsenal. I agree with him that intrusion detection honeypots can provide highly actionable, low maintenance detection with a low chance of false positives. 

Our conversation: 

  • 00:27 – We start off talking BBQ, naturally. “Barbeque may not be the road to world peace, but it’s a start.” -Anthony Bourdain.
  • 07:30 – Chris’s origin story begins with” when my cousin built a meth lab,” followed up by “bad things happen when you practice redneck chemistry.”
  • 12:12 – We talk about Chris’s non-profit, the Rural Tech Fund, which has helped 100,000 rural children find technology jobs. 
  • 16:40 – We discuss Chris’s free online training, “The Cuckoo’s Egg Decompiled: An Introduction to Information Security,” based on Cliff Stoll’s epic book, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Chris interviewed Hans Hübner, one of the adversaries in the intrusion, which is unique since we rarely hear the perspective of both the defender and the attacker.  
  • 21:50 – We start discussing his new book, “Intrusion Detection Honeypots: Detection through Deception.” 
  • 30:00 – We talk about honeypot interactivity and the nuances to it. Chris has an excellent quote regarding attackers, “When you are living off the land, there is only so much land to go around.” 
  • 32:40 – We discuss the psychological aspects of deception and manipulating attackers to undermine themselves. We also discuss Chris’s “See, Think, Do” framework for deception. 
  • 35:49 – We dig into the ethics of cyber deception. Chris has another great quote, “If you are asking yourselves if you are well equipped to do something, you’re probably not.”
  • 38:20 – We talk about transparency around deception if it benefits organizations and serves as a deterrent to adversaries. 
  • 41:19 – We get his take on adversarial deception in the real world.
  • 45:47 – We talk about what deception technique Chris recommends organizations implement first.  
  • 48:00 – We start to wrap up the conversation. 

Additional links: 

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Targets and Predictions for the COVID-19 Threat Landscape

Targets and Predictions for the COVID-19 Threat Landscape

January 14, 2021 | 7 Min Read

Note: This blog is part of our ongoing...
Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

January 13, 2021 | 9 Min Read

It’s often the case that a sequel to a...
ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

ShadowTalk Update: SolarWinds Updates, TicketMaster Fraud, Apex Cyber Attack, and More!

January 11, 2021 | 2 Min Read

ShadowTalk hosts Stefano, Adam and Dylan...
ICYMI: SolarWinds Compromise Update

ICYMI: SolarWinds Compromise Update

January 8, 2021 | 7 Min Read

Note: This blog is a follow-up of our...