Cyber deception can be a great way to detect novel threats and uncover hidden compromises, but organizations face several barriers and risks associated with programs, the National Cyber Security Centre (NCSC) has warned.
The NCSC yesterday shared its learnings from a pilot project it’s running under the Active Cyber Defence (ACD) 2.0 program, featuring 121 UK organizations and 14 cyber-deception solution providers.
It highlighted five findings:
- Outcome-based metrics are not always easy to generate and require development. Data and context are crucial to delivering insight rather than noise
- Terminology is often inconsistent across the cyber-deception industry, making it difficult for organizations to understand what vendors are offering
- A guidance gap means impartial advice, real-world case studies, and reassurance that tools are effective and safe are often missing. Although there’s a strong marketplace of providers, it can be difficult for beginners to navigate
- If tools aren’t properly configured, there’s a risk that they may fail to detect threats, create a false sense of security, and even let threat actors sneak into networks. Constant fine-tuning and regular updates are necessary
- Most (90%) organizations prefer not to advertise that they’re using cyber-deception tools and techniques. However, there is evidence to suggest that when threat actors know a company is running honeypots, they become less confident in their efforts, which can benefit network defenders
Read more on cyber deception: NCSC Calls on UK Firms to Join Mass Cyber-Deception Initiative.
The NCSC’s goal with this pilot is to “establish an evidence base for use cases” of cyber deception at a national scale, to see how the technology might be adopted as part of Active Cyber Defence 2.0.
The plan is to deploy a minimum of 5000 low- and high-interaction solutions on the UK internet, across IPv4 and IPv6, plus 20,000 low-interaction solutions inside internal networks. The NCSC also wants to deploy 200,000 low-interaction solutions in cloud environments and two million honeytokens – fake IT resources designed to detect criminal activity.
Imposing Costs on the Enemy
The NCSC said it will continue its efforts to raise awareness and understanding of cyber deception, so that organizations can choose the right products and learn from peers.
It also hopes to impart the knowledge that cyber deception can improve national resilience by imposing costs on adversaries.
“By forcing attackers to spend time and resources navigating false environments, chasing fake credentials, or second-guessing their access, cyber deception can slow down attacks and increase the likelihood of detection. This aligns with broader national resilience goals by making the UK a harder, more expensive target,” the NCSC wrote.
“Cyber deception isn’t new, but neither is it widely used, and that’s a missed opportunity. When done well, it can provide early warning of attacks, generate high-quality intelligence, and shape how our adversaries operate. But it’s not a magic fix; it requires planning, strategy, and support.”
The NCSC said it’s providing this support, so that more UK organizations can harness the power of deception, alongside observability and threat hunting, to detect, understand and respond to threats more effectively.