Page 271 - Cyber Defense eMagazine September 2025
P. 271
Crucially, during this period, defenders are capturing every probe and fingerprint attempt. The friction-
induced inefficiencies increase attack dwell time and volume of telemetry, making detection and
attribution easier. Eventually, frustrated by the lack of consistent telemetry, the red team escalates their
approach. This kills their attempts at stealthiness and triggers active detection systems.
This experiment successfully degrades attacker efficiency, increases their operational cost, and expands
the defenders’ opportunity window for early detection and response, all without disrupting legitimate
internal operations. While it does take effort on the defending side to set all of this up, the outcome would
be well worth it.
Ambiguity Engineering
Ambiguity engineering aims to obscure the adversary's mental model. It is the deliberate obfuscation of
system state, architecture, and behavior. When attackers cannot build accurate models of the target
environments, their actions become riskier and more error-prone. Tactics include using ephemeral
resources, shifting IP addresses, inconsistent responses, and mimicking failure states.
Example: Ephemeral Infrastructure and Shifting Network States in Zero Trust Architectures
A SaaS provider operating in a zero trust environment can implement ambiguity engineering as part of
its cloud perimeter defense strategy. In this setup, let’s consider a containerized ecosystem that
leverages Kubernetes-based orchestration. This platform can utilize elements such as ephemeral IPs
and DNS mappings, rotating them at certain intervals. These container hosted backend services would
be accessible only via authenticated service mesh gateways, but appear (to external entities) to
intermittently exist, fail, or timeout, depending on timing and access credentials.
Consider the external entity experience against a target such as this. These attackers would be looking
for initial access followed by lateral movement and service enumeration inside this target environment.
What they would encounter are API endpoints that resolve one moment and vanish the next. Port scans
would deliver inconsistent results across multiple iterations. Even successful service calls can return
varying error codes depending on timing and the identity of the caller. When this entity tries to correlate
observed system behaviors into a coherent attack path, they would continually hit dead ends.
This environment was not broken; it was intentionally engineered for ambiguity. The ephemeral nature of
resources, combined with intentional mimicry of common failure states, would prevent attackers from
forming a reliable mental model of system behavior. Frustrated and misled, their attack chain will slow,
errors will increase, and their risk of their detection will rise. Meanwhile, defenders can capture behavioral
fingerprints from the failed attempts and gather critical telemetry for informed future threat hunting and
active protection.
Cyber Defense eMagazine – September 2025 Edition 271
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
