Enhancing Security Monitoring with Deception Techniques
Matilainen, Johannes (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202604298498
https://urn.fi/URN:NBN:fi:amk-202604298498
Tiivistelmä
Malicious actors have made their activities stealthier by blending in with normal operations. Adversaries do
not necessarily bring their own tools to systems but instead use tools that are already built into those sys-
tems. While static indicators of malicious activity can detect threats, defenders can improve their defenses
by creating circumstances that appear normal to the attacker but abnormal to the defender. By establishing
these circumstances, the attacker’s time and resource usage in the environment can be increased, and
high-fidelity alerts can be obtained.
The goal of this research was to find out how deception techniques can enhance security monitoring and
what benefits these techniques bring to it. The aim was to design a deception campaign for the commis-
sioner, based on which the campaign was created and tested using red team tools. To achieve these goals,
a constructive research method was employed.
As a result, a deception campaign was planned for the commissioner, mapping the threats towards com-
missioners’ company and identifying malicious actors who could target commissioners’ IT environment.
Based on this planning, the Kerberoasting technique used by APT29 was chosen for the implementation
part of the deception campaign, around which the entire campaign was constructed. The deception cam-
paign was implemented in the commissioners’ production environment, and the functionality of the imple-
mentation was tested in practice.
As a conclusion, if implemented correctly, a deception campaign strengthens current security monitoring
through the high-precision and high-fidelity alerts it provides. If executed properly, no behavior other than
real malicious activity would trigger the alerts created within the deception campaign.
not necessarily bring their own tools to systems but instead use tools that are already built into those sys-
tems. While static indicators of malicious activity can detect threats, defenders can improve their defenses
by creating circumstances that appear normal to the attacker but abnormal to the defender. By establishing
these circumstances, the attacker’s time and resource usage in the environment can be increased, and
high-fidelity alerts can be obtained.
The goal of this research was to find out how deception techniques can enhance security monitoring and
what benefits these techniques bring to it. The aim was to design a deception campaign for the commis-
sioner, based on which the campaign was created and tested using red team tools. To achieve these goals,
a constructive research method was employed.
As a result, a deception campaign was planned for the commissioner, mapping the threats towards com-
missioners’ company and identifying malicious actors who could target commissioners’ IT environment.
Based on this planning, the Kerberoasting technique used by APT29 was chosen for the implementation
part of the deception campaign, around which the entire campaign was constructed. The deception cam-
paign was implemented in the commissioners’ production environment, and the functionality of the imple-
mentation was tested in practice.
As a conclusion, if implemented correctly, a deception campaign strengthens current security monitoring
through the high-precision and high-fidelity alerts it provides. If executed properly, no behavior other than
real malicious activity would trigger the alerts created within the deception campaign.