Given enough time and resources, advanced adversaries will bypass modern intrusion detection solutions. SIEMs are often configured to gather as much information as possible in an environment, and the resulting value of provided alerts and responses rely on attempting to lower the number of false positives. The goal of The Aerospace Corporation was to conduct an experiment in achieving higher fidelity true positive alerts by utilizing cyber deception concepts. Our research concluded that by through a mix of low and medium interactivity honeypots deployed on a production system, it is possible to gather not only true positive alerts but also threat intelligence on adversaries.

The talk will cover a brief overview of current FOSS deception solutions and will pivot to the research showcasing our own FOSS cyber deception experiment that detects and monitors cyber adversaries.