SC-30(4): Misleading Information

Control Family:

System and Communications Protection

Parent Control:

SC-30: Concealment and Misdirection

Threats Addressed:

Lateral Movement

Baselines:

(Not part of any baseline)

Previous Version:

NIST Special Publication 800-53 Revision 4:
SC-30(4): Misleading Information

Control Statement

Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.

Supplemental Guidance

Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5