Software Engineering Institute

In this FloCon 2016 presentation, we discuss the use of network monitoring to support deceptive defenses. In the context of this presentation, a deceptive defense is any defensive mechanism that is intended to frustrate or delay attackers by feeding them false information about a network's structure.  The classic example of such a defense is a honeypot, but recent research has resulted in multiple other defenses, including honeywords and honeyfiles.

We discuss the integration of deceptive defenses with network monitoring by focusing on the problem of file exfiltration—copying files from a network. A potential deceptive defense against exfiltration is to artificially inflate the size of critical files (e.g., proprietary information, password files). Such a defense is most effective when combined with situational awareness—an understanding of how large these files have to be to impose a risk on an attacker.