Threat Intelligence / RECAP: Discussing deception with Chris Sanders

RECAP: Discussing deception with Chris Sanders

RECAP: Discussing deception  with Chris Sanders
Rick Holland
Read More From Rick Holland
September 24, 2020 | 3 Min Read

When I was a Forrester Research analyst, I had some strong opinions on deception technology. Approximately five years ago, I wrote, “Organizations that think they are ready for deception, are only deceiving themselves.” So when I saw my friend (and BBQ brother), Chris Sanders announce the release of his latest book, “Intrusion Detection Honeypots: Detection through Deception,” I knew we had to get him on our ShadowTalk podcast with Kacey and Charles and me to discuss further. You can listen to the episode here.

Source: https://twitter.com/chrissanders88/status/1300793953780981761

Chris interviewed over eighty people while researching for the book, and he covers fifteen deception techniques in it. He highlighted three deception techniques in our interview: 

  1. Injecting credentials into memory 
  2. Honey documents
  3. Honey services 

He convinced me that my previous assessment of deception needed to evolve and that it can be a useful tool in defenders’ arsenal. I agree with him that intrusion detection honeypots can provide highly actionable, low maintenance detection with a low chance of false positives. 

Our conversation: 

  • 00:27 – We start off talking BBQ, naturally. “Barbeque may not be the road to world peace, but it’s a start.” -Anthony Bourdain.
  • 07:30 – Chris’s origin story begins with” when my cousin built a meth lab,” followed up by “bad things happen when you practice redneck chemistry.”
  • 12:12 – We talk about Chris’s non-profit, the Rural Tech Fund, which has helped 100,000 rural children find technology jobs. 
  • 16:40 – We discuss Chris’s free online training, “The Cuckoo’s Egg Decompiled: An Introduction to Information Security,” based on Cliff Stoll’s epic book, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Chris interviewed Hans Hübner, one of the adversaries in the intrusion, which is unique since we rarely hear the perspective of both the defender and the attacker.  
  • 21:50 – We start discussing his new book, “Intrusion Detection Honeypots: Detection through Deception.” 
  • 30:00 – We talk about honeypot interactivity and the nuances to it. Chris has an excellent quote regarding attackers, “When you are living off the land, there is only so much land to go around.” 
  • 32:40 – We discuss the psychological aspects of deception and manipulating attackers to undermine themselves. We also discuss Chris’s “See, Think, Do” framework for deception. 
  • 35:49 – We dig into the ethics of cyber deception. Chris has another great quote, “If you are asking yourselves if you are well equipped to do something, you’re probably not.”
  • 38:20 – We talk about transparency around deception if it benefits organizations and serves as a deterrent to adversaries. 
  • 41:19 – We get his take on adversarial deception in the real world.
  • 45:47 – We talk about what deception technique Chris recommends organizations implement first.  
  • 48:00 – We start to wrap up the conversation. 

Additional links: 

REvil: Analysis of Competing Hypotheses

REvil: Analysis of Competing Hypotheses

July 28, 2021 | 15 Min Read

When I was a Forrester Research analyst, I...
Q2 Ransomware Roll Up

Q2 Ransomware Roll Up

July 20, 2021 | 9 Min Read

When I was a Forrester Research analyst, I...
REvil Ransomware: What’s Next?

REvil Ransomware: What’s Next?

July 15, 2021 | 10 Min Read

When I was a Forrester Research analyst, I...
Kaseya Attack Update: What’s Happened Since?

Kaseya Attack Update: What’s Happened Since?

July 14, 2021 | 6 Min Read

When I was a Forrester Research analyst, I...