How to Use AI in Cyber Deception

For years, cyber deception has been an excellent tool against would-be cybercriminals. However, the cybersecurity landscape is constantly evolving — and many conventional techniques are no longer as effective. Is artificial intelligence the solution? If business leaders know how to deploy it effectively, they can benefit from the value it generates.

1. Build Adversary Profiles

Despite what some may think, AI isn’t a passing trend. Its value in the cybersecurity market will reach $133.8 billion by 2030 — a 330% increase in a six-year period. Utilizing AI to build an accurate adversary profile lets security professionals reverse engineer cybercrime, helping them identify malicious techniques and habits.

Moreover, it gives them insight into bad actors’ motivations and thought patterns. They can use this information to strengthen their defenses and potentially uncover attackers’ identities.

2. Keep Attackers Engaged

Deception isn’t just for bad actors; now, cybersecurity teams are using their own deception techniques to stop scammers in their tracks. The good news is attackers aren’t likely to recognize their own strategies.

For example, phishers rely heavily on urgency and generic greetings and phrases — and so can cybersecurity teams. They can employ large language models trained to use these same techniques to keep bad actors engaged for longer, making the scammers believe they’re duping an actual employee. In reality, cybersecurity teams are cataloging their tools, message frequency and language usage to defend against their strategies.

3. Analyze Tactics and Targets

AI’s rapid processing capabilities enable it to analyze adversaries’ tactics and tools to identify their presence and understand their target. It can detect subtle deviations and trends far more accurately than humans can, so using it in cyber deception to attract, trick and trap threats is a sound strategy.

4. Generate Deceptive Assets

A generative model can automatically design or engineer fake files, logs, applications, directories, employee profiles and network topologies to imitate legitimate data storage systems or network activities. Its ability to craft synthetic credentials, datasets, system logs and communications can be invaluable during deception campaigns.

How AI Improves Cyber Deception Strategies

Adaptation is one of the most significant ways AI improves honey-potting strategies. Machine learning subsets can evolve alongside bad actors, enabling them to anticipate novel techniques. Conventional signature-based detection methods are less effective because they can only flag known attack patterns. Algorithms, on the other hand, use a behavior-based approach.

Synthetic data generation is another one of AI’s strengths. This technology can produce honeytokens — digital artifacts purpose-built for deceiving would-be attackers. For example, it could create bogus credentials and a fake database. Any attempt to use those during login can be categorized as malicious because it means they used illegitimate means to gain access and exfiltrate the imitation data.

While algorithms can produce an entirely synthetic dataset, they can also add certain characters or symbols to existing, legitimate information to make its copy more convincing. Depending on the sham credentials’ uniqueness, there’s little to no chance of false positives.

Minimizing false positives is essential since most of the tens of thousands of security alerts professionals receive daily are inaccurate. This figure may be even higher for medium- to large-sized enterprises using conventional behavior-based scanners or intrusion detection systems because they’re often inaccurate.

Considering 51% of security decision-makers already agree their teams are overwhelmed by alert volumes, leveraging AI to mitigate false positives and handle incident response is ideal. Decision-makers can even train it to send high-priority or particularly complex cases directly to cybersecurity teams, ensuring it remains accurate.

Is AI-Driven Cyber Deception Cost-Effective?

Generally, deception strategies are relatively inexpensive to deploy. In one case study, factoring in stand-up, experiment and tear-down costs, professionals spent just $0.25 per operation on average. Even accounting for the 24.76 hours of labor and computing resources they utilized, the overall expense is negligible, even for small- and medium-sized businesses.

That said, even though the cost is low, there’s no such thing as too affordable. Since AI accelerates time to completion and doesn’t require a salary in exchange for labor, it can significantly reduce companies’ campaign expenditures. These cost savings can help offset spending on building and deploying a model.

On the topic of labor, availability is another AI-driven improvement. Traditionally, hand-crafting fake assets, login pages and datasets is time-consuming. These hours worked — along with those required during the inevitable incident response that follows an alert — are often one of the most expensive budget line items during these kinds of operations.

Since machine learning models don’t need breaks, sick days or time off, they can work around the clock. In addition to being much more affordable than paying hourly wages for multiple team members, this approach is also a sound cybersecurity strategy. After all, cyberattacks don’t happen exclusively during working hours.

Strategic Implementation Tips for Businesses

Businesses seeking to incorporate algorithms into their existing honey-potting strategies should ensure their infrastructure supports integration. This kind of use case is complex, requiring an extensive collection of resources, data repositories and notification systems. Hiring a specialist for their expertise or leveraging a human-in-the-loop model would be ideal.

Organizations should carefully consider algorithm type before progressing with implementation. One in the machine learning subset is optimal because it can evolve as it absorbs new information.

Whatever decision-makers choose, they must remember to focus on their environment as much as their model type and imitation assets. Attackers constantly work to identify and avoid honeytraps, so firms must work just as hard to stay ahead. They should ensure their fake resources, websites and traffic logs are as convincing as possible.

Since no real-world network or data repository would remain unsecured despite containing valuable or sensitive information, cybersecurity teams should strongly consider leveraging weak security tools to make their environments seem more believable. As a bonus, this approach may also tell them more about attackers’ tactics and intentions.

The Bottom Line of Using AI in Cyber Deception

AI won’t instantly improve an existing honey-potting strategy — cybersecurity professionals must actively seek out gaps and tactically use this technology to fill them. At the end of the day, software is only as good as the strategy supporting it.

About the Author

Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.