Weaponizing Deception Against Autonomous Adversaries

TLDR: Autonomous cyber adversaries are no longer science fiction, and they operate at speeds that render traditional human-in-the-loop defenses obsolete. By manipulating the state space and decision-making logic of these agents, researchers at MITRE have demonstrated that cyber deception can force them into inefficient, recursive planning loops. This research highlights the shift from static honey-tokens to dynamic, state-altering deceptions that target the underlying algorithms of automated attack tools.

Autonomous agents are already here, and they are getting faster. While we often talk about automated scanning or basic credential stuffing, the next generation of tooling uses sophisticated planning algorithms to navigate networks, escalate privileges, and exfiltrate data without a human operator pulling the strings. When an adversary can execute an entire attack chain in seconds, your SOC’s manual response time is effectively zero. The research presented at Black Hat 2023 by the Mirage team at MITRE shifts the focus from trying to outrun these agents to outsmarting their decision-making logic.

The Problem with Autonomous Planning

Traditional red team tools, and by extension, the autonomous agents they are evolving into, rely on a sense-plan-act loop. They scan the environment, update their internal state, and use planning algorithms to determine the next optimal move. Whether they are using simple atomic actions or complex look-ahead strategies, these agents are bound by the same constraints as any search algorithm: they need to minimize the state space to make decisions efficiently.

If you want to stop an autonomous agent, you do not need to block every single port or patch every vulnerability. You need to break its planning process. The Mirage project demonstrates that by introducing inconsistent state information, you can force an agent to waste time, fail its objectives, or get stuck in a logic loop. This is not about setting a trap; it is about poisoning the adversary's perception of reality.

Manipulating the State Space

The researchers focused on three primary deception techniques designed to target the planning logic of autonomous agents:

• Black Hole Directories: By monitoring exfiltration attempts, the system detects when an agent targets a specific directory. It then makes that directory appear empty or redirects the agent to a fake, high-value target, causing the agent to stall or fail its exfiltration objective.
• File Facade: This technique replaces legitimate files with randomized, fake data in real-time. When an agent attempts to read or exfiltrate these files, it encounters junk data, which can trigger further logic errors or simply waste the agent's execution time.
• Sneaky Files: This is perhaps the most elegant approach. When the system detects an agent performing discovery, it dynamically renames files or modifies the directory structure. Because the agent relies on its internal map of the system to plan its next move, these changes render its previous intelligence stale.

These techniques are implemented through Caldera, an open-source framework for adversary emulation. By using Caldera’s modular architecture, the researchers were able to swap out different "planners"—the algorithms that decide which action to take next—and measure how effectively their deceptions degraded performance.

Measuring the Impact on Adversary Logic

To quantify the effectiveness of these deceptions, the team tracked metrics like the number of failed actions, the time spent planning, and the total number of "facts" (pieces of intelligence) discovered. The results were clear: advanced planners, which are generally more efficient, suffered the most when faced with dynamic deception.

When an agent is forced to repeatedly attempt an action that fails—or worse, when it discovers a file that changes its name every time it is accessed—the agent’s planning algorithm enters a state of high entropy. It spends more time re-planning than executing. For a pentester, this is a goldmine. If you are running an engagement against a client with automated detection, you can use these same principles to identify where their automated response logic is brittle. If you can force their automated systems to "think" too hard, you create the noise necessary to hide your actual activity.

Building the Deception Infrastructure

The team built a custom Windows service called Anansi to handle the heavy lifting of monitoring and responding to adversary activity. Anansi operates on a fixed-interval loop, checking for specific PowerShell commands or file system access patterns. When it detects a trigger, it executes a deception action.

For those looking to experiment with this, the Caldera Range plugin is the logical starting point. It allows for the rapid, automated deployment of infrastructure in cloud environments like AWS or Azure, providing a sandbox to test how different deception strategies hold up against various attack planners.

The Future of Defensive Deception

Defenders often view deception as a static game of "hide the flag." This research proves that it must be a dynamic, algorithmic game of "break the planner." As autonomous agents become more prevalent, the ability to manipulate their internal state will become a critical skill for both red and blue teams.

If you are a researcher, start looking at the planners in your favorite C2 frameworks. How do they handle unexpected state changes? If you are a defender, stop relying on static alerts and start building services that can dynamically alter the environment in response to detected activity. The goal is not to stop the adversary from entering; it is to ensure that once they are inside, they are playing a game they cannot possibly win. The next time you are on an engagement, don't just look for vulnerabilities. Look for the automated logic that governs the environment and see if you can make it trip over its own feet.