SOC Puppets: How Whaley’s Theory of Outs and ‘Noisy’ Sock Puppets Encouraging Discovery of Network Deception Could Enhance Security Operations Center Analysis

Abstract

This practitioners’ position paper suggests an unorthodox approach integrating Whaley’s Theory of Outs and
“turnabout” deception techniques to encourage an attacker’s discovery of deception on a network. Although the late
American deception and communication researcher Barton Whaley appeared to differentiate the categorization of
deception techniques such as “turnabout” and planning for backup deception techniques if discovered or if the deception
appeared to fail, we explore the integration of these approaches to deception design in a cyber context, mainly in situations
where analysts in the Security Operations Center (SOC) are looking for higher fidelity alerting on anomalous events and
suspected attacker activity on the network. Because attackers appear to generally demonstrate greater confidence in their
network movement after discovering what they believe is deception, we visualize how ‘noisy’ controlled deception sock
puppets inside of a network prompting optimized query returns on their content could draw attackers to later stage
deception functions and effects, and more enhanced SOC analysis following alerting on those functions and effects. This
practitioners’ position paper suggests our unorthodox approach offers an alternative strategic and tactical approach to
collaborative cyber deception design and SOC alerting, by highlighting ‘noisy’ deception on a network to lure and influence
attackers.