2025-08-04 –, Firenze
Have you heard of the term "Delaying Action"? In military strategy, it refers to a defensive maneuver where forces avoid decisive engagement, instead continuing to fight strategically for as long as possible to slow the enemy's advance. In today’s cyber warfare, where attacks are fast and automated, adversaries can breach assets in seconds. We believe this classical doctrine must be reimagined for modern cybersecurity.
This concept inspired the development of the Azazel System, which implements Cyber Scapegoat technology—a novel deception mechanism that absorbs attacks, misleads adversaries, and strategically delays their progress. Unlike traditional honeypots that simply observe, the Cyber Scapegoat actively engages and binds the attacker, realizing a true delaying action in cyberspace.
Built entirely with open-source software on a Raspberry Pi 5, the Azazel System is lightweight, portable, and easy to deploy in home labs, gateways, VPN endpoints, or CTF environments.
In this talk, we encourage the audience to rethink cyber defense as a means of controlling time. Defense is not just about stopping attacks, but about delaying them tactically. We invite attendees to explore how deception and delay can be adapted to their own environments to build creative and resilient cyber defense strategies.
1. Introduction
Modern cybersecurity defense must move beyond passive monitoring and immediate attack blocking. Attackers are increasingly using automated tools that quickly scan, exploit, and establish persistence within seconds. Traditional honeypots collect attack data but do not interfere with or slow down adversaries. Decoy servers mislead attackers but do not impact their decision-making time.
This presentation introduces Azazel System, a portable, low-cost cyber deception gateway that incorporates tactical delaying actions to provide an effective response against real-world cyber threats. By leveraging the concept of cyber-scapegoating, the system not only misdirects attackers but actively slows them down using real-time intervention techniques.
Built on Raspberry Pi 5 (8GB) with a hybrid architecture, Azazel System employs:
- Real-time traffic manipulation using tc (Traffic Control) and iptables
- Cyber-scapegoat deception to absorb and delay attacks rather than just observing them
- Automated logging and threat classification using Fluent Bit and MITRE ATT&CK
- Integration with public Wi-Fi and untrusted network environments, ensuring adaptability for diverse deployment scenarios
This talk will explore the design, deployment, and defensive applications of this portable security gateway, demonstrating its effectiveness in delaying attacks while providing defenders with essential response time.
2. Tactical Delaying Action in Cybersecurity
2.1. Military Delaying Action: A Defensive Strategy
In military land warfare, delaying actions are used to slow enemy forces, disrupt their movements, and create opportunities for counterattacks. These tactics include:
- Strategic withdrawal while applying resistance to force attackers into resource exhaustion
- Obstacle deployment to manipulate enemy pathways
- Diversionary targets to redirect enemy focus
Azazel System applies these principles to cybersecurity by deliberately controlling an attacker's progress, rather than merely blocking access.
3. The Cyber-Scapegoat Model: Beyond Traditional Honeypots
Problem: Previous deception techniques fail to actively interfere with an attacker’s workflow.
Solution: Cyber-scapegoats absorb attacks and delay adversaries, increasing their operational fatigue.
| Method | Honeypots | Decoy Servers | Cyber-Scapegoat (Azazel System) |
|---|---|---|---|
| Purpose | Collect attack data | Misdirect attackers | Actively delay and disrupt attacks |
| Impact on Attackers | No direct interaction | Passive deception | Manipulates and slows adversaries |
| Operational Outcome | Intelligence gathering | Temporary misdirection | Fatigue attackers and buy defender response time |
Unlike traditional deception models, Azazel System exploits attacker persistence by prolonging their engagement with non-critical assets.
4. Hybrid Architecture and Deployment
📌 Challenge: Running active deception and tactical delay mechanisms on resource-limited hardware.
📌 Solution: A hybrid system that offloads deep attack analysis to an external laptop.
4.1. System Overview
📌 Azazel System operates as a portable gateway, intercepting and delaying attacks before they reach critical assets.
🔹 Key Components:
- Raspberry Pi 5 (8GB) as the core gateway
- Containerized OpenCanary for deception
- Real-time network manipulation with tc and iptables
- Automated log forwarding via Fluent Bit
- External laptop for in-depth forensic analysis
🔹 Deployment Use Cases:
- Security for public Wi-Fi and travel networks
- SOC (Security Operations Center) incident response augmentation
- Cyberwarfare research and adversary behavior modeling
5. Implementation and Attack Mitigation Techniques
📌 Azazel System actively intervenes in attack processes rather than just logging them.
5.1. Network Delay & Redirection
📌 Key Mechanism: Slow down reconnaissance and exploit attempts using dynamic network manipulation.
🔹 Methods Used:
- tc to artificially increase latency in suspicious connections
- iptables rules to reroute attackers into deception environments
- Adaptive response, progressively increasing delays on persistent threats
5.2. Logging, Threat Classification, and MITRE ATT&CK Integration
📌 Key Mechanism: Suricata intrusion alerts processed via Fluent Bit and classified using MITRE ATT&CK.
🔹 How It Works:
- Suricata detects unusual network activity.
- Fluent Bit sends logs to an external laptop.
- Kibana visualizes the attack timeline, mapped to MITRE ATT&CK.
6. Key Benefits and Tactical Advantages
📌 Azazel System offers advantages beyond traditional deception techniques:
🔹 Delaying attackers to increase defensive response time
🔹 Cyber-scapegoat model actively manipulates adversary behavior
🔹 Lightweight, portable deployment suitable for high-risk environments
🔹 OSS-based, making it cost-effective and adaptable
A former penetration tester turned independent security researcher, I specialize in developing unconventional security tools and offensive/defensive techniques. My work often centers on tactical deception and delay strategies in cyber operations, which I regularly present at cybersecurity conferences across Japan.
Off the clock, I have an incurable vulnerability to good drinks—an "alcohol injection" bug that's still wide open.