SEC550: Cyber Deception - Attack Detection, Disruption and Active Defense

  • In Person (6 days)
  • Online
36 CPEs

SEC550 will provide you with an understanding of the core principles of cyber deception, enabling you to plan and implement cyber deception campaigns to fit virtually any environment. You'll be able to turn the tables on attackers so that while they need to be perfect to avoid detection, you need to be right only once to catch them. 15 Hands-on Labs + Deception Capstone

What You Will Learn

Traditional defensive controls are failing us. The time it takes for an attacker to go from initial compromise to lateral movement is rapidly decreasing while the time it takes to detect and effectively respond to breaches is measured in weeks or even months. Making the situation worse, studies such as the 2020 Cost of a Data Breach Report by the Ponemon Institute show a direct correlation between the time it takes to detect and respond to a breach and the cost of that breach to an organization; the longer it takes, the more a breach costs. To reduce risk, defenders need better ways to quickly detect adversary activity while also collecting information to facilitate faster and more effective response.

Cyber deception is the solution to reduce this response time and minimizing cost. SEC550: Cyber Deception, Active Defense, and Offensive Countermeasures will give you an understanding of the core principles of cyber deception, allowing you to plan and implement cyber deception campaigns to fit virtually any environment.

Most majority detective controls in use today focus on looking for "evil", but attackers do a great job at appearing harmless or even invisible. Technologies such as anti-virus, application whitelisting, DLP, and firewalls can be circumvented with relative ease. A common solution is to change the detective strategy from looking for "evil" to looking for "abnormal." However, attempting to "normalize" even fairly small computing environments can be both challenging and time-consuming.

Fortunately, there are alternatives. Instead of attempting to normalize a production environment, what if we placed resources in that environment that have no production value or use? These resources could be user accounts, credentials, services, open ports, computers, or even complete networks. Because these resources are not part of normal production operations, "normal" can be defined as no interaction or no use. In other words, since there is no reason for legitimate interaction with these deceptive resources, any interaction is abnormal and there are very few "false positive" alerts. This creates a high-fidelity, low-noise detection solution. Furthermore, because the deceptive resources can be monitored and/or configured to generate logs, defenders can collect significant amounts of actionable threat intelligence and attack attribution information, facilitating faster and more effective response. Better yet, this all occurs while attackers are busy attempting to hack deceptive systems, distracting them from actual production resources.

In this hands-on course, you will not only learn cyber deception theory and concepts, you will play an active role working with deception technology during more than 15 hours of guided exercises. By the end of the course, you will understand the value of cyber deception and have practical experience you can immediately draw on to protect your own computing environment.


  • Why cyber deception completely changes the information security game
  • How to use cyber deception to detect attackers on your network as much as 90% faster than through the use of traditional detection technologies
  • How to collect actionable threat intelligence and attack attribution information through the use of deception technologies
  • How to create an environment where attackers need to be perfect to avoid detection, while you need to be right only once to catch them
  • How to actively engage attackers in real time
  • How to thwart attacks before attackers send a single packet towards your network
  • How to take back the advantage from attackers


  • Design, implement, evaluate, and manage a comprehensive cyber deception program
  • Detect attacker activity on your network more quickly
  • Reduce false positive alerts
  • Respond to attacks more effectively
  • Deter or thwart attacks before they occur

Syllabus (36 CPEs)

Download PDF
  • Overview

    During the first course section, we will focus on understanding the core problems associated with attack detection and response and how deception technology can solve those problems. We will look at how common attacker tactics and techniques can evade traditional protective and detective controls. Finally, we will examine what it takes to do deception right by providing an overview of deception components and planning activities.

    • Offensive techniques and tactics
    • Evaluating obvious deception
    • Deception done right - components and planning
    • Preliminary deception plan development using MITRE ATT&CK and Shield

    Understanding the Problem

    • Problems with traditional protective and detective controls
    • Why failures in detection significantly increase risk

    Describing the Solution

    • Understanding the Observe Orient Decide Act (OODA) loop and how it can help your security program
    • Introducing cyber deception: key benefits, elements and components

    Offensive Techniques and Evasion of Controls

    • Examining how attackers circumvent traditional security controls
    • Introducing attack mapping frameworks; Lockheed Martin Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK

    Deception Done Right, Deception Components, and Deception Planning

    • Learn how attackers can discover deception
    • Understand what attackers can do if deception is discovered
    • Understanding common deception goals
    • Using MITRE Shield to clarify deception and active defense objectives

    Preview of Deception Components and Elements

  • Overview

    Implementing deception can be as easy as running a few simple tools within your network. Since deception is not common today, simple deception can be extremely effective. As deception becomes more common, or when dealing with advanced adversaries, more comprehensive deception plans are necessary. In this course section, you will learn what it takes to design a detailed, comprehensive, and credible deception plan that includes knowing yourself, knowing your adversary, and knowing your deception goals. You will also learn how different virtualization technologies can be used to implement a cost-effective, flexible, and believable deception program.

    • Implementing deception with Docker
    • Know thyself: Inventorying network resources in Active Directory, non-Active Directory, and Linux environments
    • Know thy enemy: Working with MITRE ATT&CK and ATT&CK Navigator
    • Foundational Knowledge
    • Core Deception Concepts
    • Deception Effects and Methods
    • Revealing/Concealing Facts and Fictions
    • Regular Expressions
    • Deception and Virtualizations

    Know Yourself

    • Developing an IT asset inventory to facilitate deception planning
    • Classifying data and analyzing business impact to identify deception priorities
    • Identifying and locating sensitive data using regular expressions
    • Identifying vulnerability
    • Creating a user and group inventory
    • Identifying technology usage patterns

    Know Your Enemy

    • Discovering methods to understand attacker tactics and techniques
    • Understanding how training in offensive tactics can improve your deception planning
    • Using incident response and forensic skills to create better deception
    • Using the Lockheed Martin Intrusion Kill Chain, Unified Kill Chain and MITRE ATT&CK to learn about attacker activities
  • Overview

    This section will look at the first set of deception program components. You will learn how to design, implement, and use DNS and web deception, port and service deception, e-mail, Internet of Things, and wireless deception, and file system deception.

    • DNS and Web Deception

      • SSH and RDP honeypots, proxy redirects
      • Conpot ICS honeypot use, testing, and customization
      • Windows and Linux filesystem deception

    DNS Deception

    • The importance of DNS
    • Attacks involving DNS
    • DNS deception tactics and techniques

    Web Deception

    • Web deception tactics and techniques
    • Web deception tools and honeypots

    Port and Service Deception

    • Differences between high-interaction and low interaction honeypots
    • Port and service deception tools, utilities and honeypots
    • Port and service deception advantages and disadvantages

    Email Deception

    • Attacks involving email, including phishing, spear phishing, and spam
    • Anti-phishing deception strategies
    • Anti-spam deception strategies

    Internet of Things (IoT), Operations Technology (OT), and Industrial Control System (ICS) Deception

    • IoT/OT/ICS deception tools and utilities

    Wireless Deception

    • Understanding wireless attacks
    • Wireless infrastructure deception
    • Wireless client deception
    • Wireless deception tools and utilities

    File and Folder Deception

    • File and folder deception overview
    • File system instrumentation and alerting
    • How to generate credible deceptive data
  • Overview

    This section will continue looking at deception program components. You will learn how to design, implement, and use deceptive accounts and credentials and high-interaction Honeypots. You will also learn how to avoid detected deception and how to distribute Honeynets and Honeypots.

    • Creating deceptive accounts in Linux, Wordpress, and Active Directory, and in memory
    • Undertaking responder, router, and wireless deception plus TCP Tarpit with port redirection
    • Implementing a Windows 10 honeypot, monitoring and centralized login
    • Active attack response

    Deceptive Accounts and Credentials

    • Understanding attacks against accounts and credentials
    • Deceptive countermeasures to credential attacks
    • Deceptive persona creation, management, and use

    Avoiding Detected Deception

    • Level of deception and the impact of realism
    • Detecting deception
    • Deceptive network traffic
    • Pocket litter and burn-in

    High-Interaction Honeypots

    • High-interaction honeypot overview
    • Configuration and instrumentation of high-interaction honeypots
    • Honeypot monitoring solutions


    • Honeynet overview
    • Honeynet advantages and disadvantages
    • Honeynet control and instrumentation

    Honeypot Distributions

    • Honeydrive
    • Active Defense Harbinger Distribution (ADHD)
    • Honeeepi
    • BlackArch Linux
  • Overview

    In this course section, you will use everything learned throughout the class to develop a comprehensive deception plan. Youll then learn methods to evaluate the effectiveness of your deception program. You will also gain an understanding of the legality of deception and how incident response differs in deceptive environments. Finally, well provide a brief overview of commercial deception solutions.

    • Designing, implementing, and evaluating a deception program

    Deception Planning

    • Deception planning process overview
    • Understanding deception channels
    • Deception story development

    Deception Plan Evaluation and Testing

    • Understanding and planning for what could go wrong
    • Methods for evaluating deceptive plans
    • Identifying deception

    Legal Questions: Entrapment and Hacking Back

    Incident Handling and Response

    • Differences when responding to incidents in a deceptive environment
    • Active attacker engagement: how and why

    Commercial Deception Solution Overview

  • Overview

    During this final section, you will put the knowledge and skills learned throughout the course to practical use. Students will be divided into teams and given a new computing environment to operate in. They will then be presented with a series of challenges designed to test their ability to understand their own environment as well as attacker tools, techniques, and tactics. Students will be challenged to identify deception goals based on provided information, then be presented with specific cyber deception objectives. Answering the questions provided and successfully achieving stated deception goals will result in scoring points. The team with the most points at the end of the exercise will be declared the winner.

    • Section 6 Capstone Exercise
    • Know Your Self

      • Identifying host information
      • Identifying vulnerabities
      • Investigating network traffic
      • Identifying users and credentials

    • Know Your Enemy and Your Goals

      • Reviewing MITRE ATT&CK
      • Applying MITRE Shield

    • Deception Implementation

      • Solving deception challenges


  • Basic understanding of Windows and Linux
  • Basic understanding of network protocols and network traffic analysis
  • Basic understanding of offensive hacker techniques

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

Operating System

  • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • Windows Credential Guard must be DISABLED (if running Windows as your host OS)
  • Apple computers with the M1 processor (Apple Silicon) are NOT supported for use in class. Apple does not provide support for x86-based virtual machines under its Rosetta 2 x86 translation capability. Apple computers that use Intel processors are not affected by this issue and are still supported for use in-class.


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • 8 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Additional Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet the additional software requirements as described below.

  • VMware Player Install

    • VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
    • If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
    • You must have administrator access to the host OS and to all installed security software.
    • You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)

Your course media will be delivered via download. The media files for class can be large, some in the 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads when you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

Author Statement

"When I first started exploring the world of cyber deception, I was confused, to say the least. I did not really understand what the fuss was all about. I viewed cyber deception as something akin to a next-gen honeypot. Honeypots? Really? Then one day it clicked. As I was looking at different ways honeypots could be deployed, I had a thought: What if I was trying to conduct a penetration test against an environment using these techniques? What would that be like? My short answer was that it would be terrible, and with that realization I finally understood. Unfortunately, that understanding generated more confusion for me. As I began to see how effective cyber deception could be, I began to have doubts. It can't be this good, can it? There has to be something I'm missing! After months of continued research, experimentation, and discussions with other deception practitioners I finally realized that I'd found what has been missing from the security industry: a way for defenders to take back the advantage! I've been passionate about the topic ever since. I also came to see that each and every person who truly understood cyber deception was every bit as passionate as I was, and that I needed to share this with as many people as I could." - Kevin Fiscus

Register for SEC550