Decoys Cannot Go Everywhere: Mapping the Deception Surface in MITRE ATT&CK

📅 2026-06-26
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses a critical gap in existing cyber deception research, which often assumes decoys can be arbitrarily deployed along attacker pathways without systematic validation. Leveraging the MITRE ATT&CK v18.1 framework encompassing 250 adversary techniques, the authors propose a novel four-dimensional evaluation framework that quantifies the suitability of deception defenses based on feasibility, interactivity, intelligence value, and reliability as indicators of malicious activity. Their analysis reveals that only 32% (80 techniques) are amenable to effective decoy deployment and identifies two distinct deployment patterns—Sweep and Seek. The work delivers an auditable standard for assessing deception surfaces, actionable decision rules, and granular technique-level insights, thereby establishing both a theoretical benchmark and practical foundation for strategic deception in cybersecurity.
📝 Abstract
Cyber deception research often assumes that a decoy can be placed wherever there is attacker behavior. This work tests that assumption across MITRE ATT&CK v18.1. We introduce a four-criterion rubric for infrastructure deception and apply it to all 250 ATT&CK techniques. The rubric evaluates whether a defender-controlled decoy can be placed, whether an attacker is likely to interact with it, what intelligence that interaction can yield, and whether the interaction reliably indicates malice. The resulting deception surface is sparse: only 80 techniques (32%) admit a decoy the attacker could plausibly reach. For the remaining 170 techniques, there is no defender-controlled asset in the attacker's path that can be fabricated as a decoy. Decoy placement across those 80 techniques falls into two patterns we call Sweep and Seek. In Sweep, the attacker moves broadly through assets in range and encounters the decoy as part of that activity. In Seek, the attacker looks for a specific kind of asset and interacts with a fabricated version of it. These patterns give a simple placement rule: a decoy must either sit on a sweep path or imitate a sought asset. We also show that decoys usually have useful intelligence potential, but whether an attacker interacts with them at all, and whether that interaction reliably indicates malice, both vary. We release the rubric, decision rules, and per-technique assessment as an auditable baseline for future deception research and deployment planning, and show that infrastructure decoys cannot be assumed to apply to all attacker behavior.
Problem

Research questions and friction points this paper is trying to address.

cyber deception
decoy placement
MITRE ATT&CK
deception surface
infrastructure deception
Innovation

Methods, ideas, or system contributions that make the work stand out.

cyber deception
MITRE ATT&CK
decoy placement
deception surface
infrastructure deception
🔎 Similar Papers
No similar papers found.