adversaries can. Its value lies in the fact that it is truly the closest thing to a real incident. Table Top
            Exercises  (TTXs)  and  penetration  tests  always  have  constraints  and/or  rules  of  engagement  which
            distance  them  from  real  world  attacker  scenarios  where  there  are  no  constraints.  Security  chaos
            engineering    extends    the   principles   of   chaos    engineering,   popularized    by   Netflix
            (https://netflixtechblog.com/chaos-engineering-upgraded-878d341f15fa) to the security domain.

            Instead of waiting for real attacks to reveal flaws, defenders can use automation to introduce “security
            chaos experiments" (e.g. shutting down servers from active pools, disabling detection rules, injecting fake
            credentials, modifying DNS behavior) to understand how systems and teams respond under pressure.

            Here are some security chaos engineering techniques to consider as this becomes part of a proactive
            cybersecurity strategy:



            Temporal Deception - Manipulating Time to Confuse Adversaries

            Temporal deception involves distorting how adversaries perceive time in a system (e.g. injecting false
            timestamps,  delaying  responses,  or  introducing  inconsistent  event  sequences).  By  disrupting  an
            attacker’s perception of time, defenders can introduce doubt and delay operations.



            Example: Temporal Deception through Delayed Credential Validation in Deception Environments

            Consider a deception-rich enterprise network, temporal deception can be implemented by intentionally
            delaying credential validation responses on honeypot systems. For instance, when an attacker attempts
            to use harvested credentials to authenticate against a decoy Active Directory (AD) service or an exposed
            RDP  server  designed  as  a  trap,  the  system  introduces  variable  delays  in  login  response  times,
            irrespective of the result (e.g. success, failure). These delays mimic either overloaded systems or network
            congestion, disrupting an attacker’s internal timing model of the environment. This is particularly effective
            when attackers use automated tooling that depends on timing signals (e.g. Kerberos brute-forcing or
            timing-based account validation). It can also randomly slow down automated processes that an attacker
            hopes completes within some time frame.


            By altering expected response intervals, defenders can inject doubt about the reliability of activities such
            as reconnaissance and credential validity. Furthermore, the delayed responses provide defenders with
            crucial dwell time for detection and the tracking of lateral movement. This subtle manipulation of time not
            only  frustrates  attackers  but  also  forces  them  to  second-guess  whether  their  tools  are  functioning
            correctly or if they’ve stumbled into a monitored and/or deceptive environment.



            Honey Timing and Time-Based Traps

            Time-bound honeypots such as fake cron jobs, scheduled updates, or bogus backup routines can serve
            as deceptive traps. Interaction with these elements reveals unauthorized probing or access attempts.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          269
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.