Deception has long been a strategy in traditional warfare. Successful deception techniques manipulate the enemy’s decision loop, causing him to commit resources against the wrong targets and giving a false sense of progress while the real mission executes unimpeded. However, until now deception in cyberspace has largely been ignored for defensive purposes. While attackers have been finding innovative uses of deception to hide their identities, cause surprise, or mislead victims, defensive uses have been limited to honeypots, and moving target defenses that attempt to dynamically modify the defended system to invalidate an attacker’s understanding of or position in the system. This has left a potentially revolutionary defensive approach unexplored: actively manipulating the adversary’s decision loop, causing him to expend effort in an alternate reality partitioned from the actual mission-essential functions.

KAGE (Keeping the Adversary Guessing and Engaged) enables “active deception” – deception where the adversary’s decision loop is actively manipulated by adapting the environment (network, and host) proactively and reactively as KAGE learns about the capabilities and intents of the client with which it is engaging. KAGE targets all phases of an attack, and leverages the adversary’s progress through the distinct stages to inject itself into their decision processes and prolong engagements at two levels. KAGE attempts to distract and engage an adversary as they move through any given stage of an attack.

To accomplish this goal KAGE must employ a set of deception maneuvers aimed at distracting an adversary, prolonging the engagement, and allowing the defender to learn about them. The deceptions, unlike honeypots, cannot be passive. Instead they must be able to react to actions taken by the adversary in order to provide them with a false reality that is consistent with their expectations and needs. The flexibility and generality of such an approach requires that the deceptions not be “hard-coded” so as to avoid a brittle response that can only handle a particular set of adversary actions. An arsenal of deceptions that can be deployed in novel compositions and configurations at the will of the defense is thus needed to react and adapt to new situations. KAGE is therefore structured as a framework in which deceptions can be developed, deployed, and orchestrated enabling this level of adaptation, maneuverability, and dynamism.