Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?
Explanation
Cyber deception technologies (such as honeypots, honeyfiles, or decoy systems) can provide valuable insights into attacker methodologies, tools, and objectives by monitoring how adversaries interact with fake assets. These technologies act as early warning systems and can reveal attacker patterns that might otherwise go undetected in your actual production environment.
Evidence could include: documentation of deployed deception technologies, reports generated from these systems showing attacker behavior analysis, integration of threat intelligence gathered from deception technologies into security operations, or procedures for reviewing and acting upon intelligence collected from deception systems.
Implementation Example
Check any cyber deception technology for additional information on attacker behavior
ID: RS.AN-03.324
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Analysis is performed to establish what has taken place during an incident and the root cause of the incident
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization categorize security incidents according to established incident response plans?

