Deception seeks to fool the adversary as a defence (and offensive) tactic and has a long history of effective use in military contexts. The core idea is that defenders may improve the effectiveness of defences because deception will likely yield in attacker uncertainty. Honeypots and moving target defences are popular examples. Honeypots fool attackers into believing a digital asset is of value, when in reality it is a decoy. Moving-target defences, alter the external attack surface of the network in order to invalidate prior reconnaissance activities. Other tactics include: Concealment, Camouflage, Disinformation, Displays/Ruses, Feints and using Insights from situational awareness and Cyber Threat Intelligence to fool the attacker.

This research area proposed using unpredictable behaviour in defence orchestration systems as a novel new approach to cyber defences. Such systems can be weighted by situational awareness context and security postures to prioritise defence behaviour and protecting certain assets given certain conditions - giving analysts significant flexibility in how they specify prioritisation of actions. This research proposes novel uses of probabilistic decision trees, security postures and dependency modelling to simulate real attacks and identify to what degree it is possible to confuse and delay the attacker using unpredictability in cyber defences.

• Jassim Happa
• Darren Hurley-Smith

• Jassim Happa, Thomas Bashford-Rogers, Alastair Janse van Rensburg, Michael Goldsmith, Sadie Creese. Deception in Network Defences using Unpredictability. ACM Digital Threats Research and Practice (DTRAP) Special Issue on Situational Awareness. 2021.
• Arnau Erola, Ioannis Agrafiotis, Jassim Happa, Michael Goldsmith, Sadie Creese, and Philip A. Legg. RicherPicture: Semi-automated cyber defence using context-aware data analytics. In International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), pp. 1-8. IEEE, 2017.