Employ [Assignment: organization-defined technical and procedural means] to confuse and mislead adversaries.
DiscussionThere are many techniques and approaches that can be used to confuse and mislead adversaries, including misdirection, tainting, disinformation, or a combination thereof. Deception is used to confuse and mislead adversaries regarding the information that the adversaries use for decision-making, the value and authenticity of the information that the adversaries attempt to exfiltrate, or the environment in which the adversaries desire or need to operate. Such actions can impede the adversary’s ability to conduct meaningful reconnaissance of the targeted organization, delay or degrade an adversary’s ability to move laterally through a system or from one system to another system, divert the adversary away from systems or system components containing CUI, and increase observability of the adversary to the defender—revealing the presence of the adversary along with its TTPs. Misdirection can be achieved through deception environments (e.g., deception nets), which provide virtual sandboxes into which malicious code can be diverted and adversary TTP can be safely examined. Tainting involves embedding data or information in an organizational system or system component which the organization desires adversaries to exfiltrate. Tainting allows organizations to determine that information has been exfiltrated or improperly removed from the organization and potentially provides the organization with information regarding the nature of exfiltration or adversary locations. Disinformation can be achieved by making false information intentionally available to adversaries regarding the state of the system or type of organizational defenses. Any disinformation activity is coordinated with the associated federal agency requiring such activity, and should include a plan to limit incidental exposure of the false CUI to authorized users. Disinformation can be employed both tactically (e.g., making available false credentials that the defender can use to track adversary actions) and strategically (e.g., interspersing false CUI with actual CUI, interfering with an adversary’s re-use, reverse engineering and exploitation of legitimate CUI, thus undermining the adversary’s confidence in the value of the exfiltrated information, and subsequently causing them to limit such exfiltration). [SP 800-160-2] provides guidance on developing cyber resilient systems and system components.