Reverse Deception: Organized Cyber Threat Counter-Exploitation (10 page)

We may fail to execute the deceptive operation competently. Competence is always desirable, but never more so than when executing a deception.

We may fail to prepare the exploitation adequately.

British General Wavell and his deception chief Brigadier Dudley Clarke learned a valuable and highly relevant lesson early in World War II while they were fighting the Italian forces in Abyssinia (Ethiopia). Wavell was planning an attack on the north flank, so he feigned an attack on the south to draw Italian reserves away from the north. Unfortunately, the Italians were not privy to his plans, because they withdrew from the south and reinforced the north. Evidently, the Italians had their own ideas about the relative importance of the two flanks. From this experience, Clarke drew a lesson still relevant. Deception plans start with the question “What do you want the enemy to do?” They never start with “What do you want the enemy to think?” (from David Mure’s
Master of Deception: Tangled Webs in London and the Middle East
, William Kimber, London, 1980).

Even a great deception success can have ambiguous causes. The D-Day landings at Normandy in June 1944 are a case in point. With apparent great success, thousands of people labored over literally half the globe to plan and execute deceptions to prevent the Germans from learning the exact day and place for the main landings, and to divert German forces from the invasion area. But it is not clear that the success of those deceptions deserves the whole credit for the success of the landings themselves.

It can be argued that the single most critical decision leading to the success on June 6, 1944, was the decision to go ahead with the landings despite the prediction of unfavorable weather in the June window. Allied commanders feared that by the time of the next favorable window of tides, daylight, and moonlight a month later, the Germans would have penetrated the secret and strengthened or altered defenses sufficiently to defeat it. Because of their weather prediction and their very careful and accurate intelligence assessment, the Germans assessed that the Allies would not land at least until during the most favorable window in June. Their analysis of previous Allied amphibious operations had given the Germans high confidence that they understood the Allies’ criteria, and their best weather prediction was that the criteria would not be met during the early June window.

But their weather prediction was wrong. It missed a two-day break in the weather that was coming from the northeast and was due to arrive in the Normandy area early on June 6. Because of that gap in their weather intelligence, the Germans were not at the highest state of readiness that good weather would have dictated. The German commander, Rommel, was at home in Stuttgart for his wife’s birthday. Many of the senior German staff members were away from their headquarters for a war game.

The German weather prediction was off because the US Coast Guard and Navy had uprooted German meteorological stations in Greenland, Iceland, and the North Atlantic early in the war. At the time of the landings in June 1944, German weather reporting was confined to reporting from two or three U-boats in the North Atlantic, which was inadequate for accurate prediction of weather in western Europe (from
British Intelligence in the Second World War
, vol. 2, “Annex 7: German Meteorological Operations in the Arctic, 1940-1941,” and vol. 3, by F. H. Hinsley et al, Cambridge University Press, New York, 1981).

Does that mean the effort to deceive the Germans was wasted or unnecessary? Not at all. The war required every effort and resource. If resources were available, no possible effort to deceive the enemy was refused. As Churchill said, “In wartime, truth is so precious that she should always be attended by a bodyguard of lies.”

How precious is your network?

¹
For more on this story, visit
http://kasmana.people.cofc.edu/MATHFICT/mfview.php?callnumber=mf102
. It was further popularized by the song “Charlie on the MTA,” recorded by the Kingston Trio in 1959.

²
How is it that hog-nosed snakes and possums know that stillness turns predators off, and other prey animals do not?

³
Discerning the beliefs and intentions of adversaries is always a goal, but often an adversary does not himself know what his beliefs and intentions may be at critical junctures. Before both the 1967 and 1973 Arab-Israeli wars, intelligence agencies sought to know when the war would start (in both cases, war was anticipated). Later research showed that there was no date certain when it would start. Until the moment the “go” command was given, delay or postponement was always possible. For plainspoken insight into this issue see, “Indications, Warning, and Crisis Operations” by Thomas G. Belden, in
International Studies Quarterly
, Vol. 21, No. 1 (March, 1977).

⁴
What does this say about the internal thief—the one who has authorized access, but uses that access to steal or cause or allow to be stolen the protected data? As we’ve said, network defense is neither solely nor even primarily a technical matter.

⁵
For various methodological reasons, the study was never formally published. Fred Feer, however, would be glad to discuss the findings and debate them with anyone interested.

⁶
Blowback
is a term of art referring to the unintended consequences of failed covert operations. Is there any surprise that bested competitors strike back?

⁷
There is no better introduction to this concept than John LeCarre’s
Tinker, Tailor, Soldier, Spy; The Honourable Schoolboy
; and
Smiley’s People
. Although these novels are fictional, they capture the essence of how one must think about deception.

⁸
A classic military case was the one where the British deceived the Italian forces in Ethiopia early in World War II. They feigned strength in the south hoping to lure Italian forces away from their intended attack in the north. The Italians evidently had a different assessment of the situation. They reinforced the north. For more information, see David Mure’s
Master of Deception: Tangled Webs in London and the Middle East
(William Kimber, 1980).

⁹
As an appendix to his book
Master of Deception: Tangled Webs in London and the Middle East
, David Mure reproduces Colonel Clarke’s reflections on the practice of deception in the Mediterranean in 1941 through 1945.

¹⁰
Or was it? David Eisenhower’s
Eisenhower at War 1943-1945
(Random House, 1986) suggests that the Allies retained sufficient troops and shipping in England to make “secondary” landings at Calais or Brittany if the Normandy landings failed. Was that also part of the deception plan to force the Germans to disperse their defenses in the critical early days?

¹¹
In his paper, “The Intelligence Process and the Verification Problem” (The RAND Corp., 1985), F. S. Feer illustrates the difficulty in acquiring good intelligence from an uncooperative target. The analogous problem is conveying convincing information to an uncooperative target/adversary

Acknowledgments

We would like to thank our editorial team—without them, our experience would have not been as smooth. We also want to thank Jeffrey Jones, Fred Feer, and Lance James, whose guidance and contributions made this book a great read. Finally, we have to thank you for your interest in this tome of knowledge and wisdom put together by some of the leading minds in cyber counterintelligence and criminal analysis in the United States. Finally, we need to again thank Alex Eisen for his amazing technical editorial abilities—he truly has an amazing eye for content and detail which pushed us to compile some of the best data we've seen for you, like minded security professionals.

Introduction

Welcome and thank you for taking an interest in this book and the topics within. We are going to walk you through numerous tools, techniques, procedures, and case studies where these tactics and methods worked! You have opened this book with an awareness of cyber threats to enterprise networks, and want to learn how to proactively combat threats and adversaries.

First, you need to understand what the term
advanced persistent threat
means. It is a highly skilled and funded entity poised and directed specifically at your enterprise. The term has been in use for several years, but became truly infamous during Operation Aurora, an incident reported by Google in early 2010. In this book, we will discuss countermeasures for advanced persistent threats, persistent threats, and opportunistic threats. All of these can target sensitive information within your enterprise, but each has a different end goal.

Within these pages, you will learn more about the tools and tactics of various malicious software groups typically referred to as
crimeware
, and also how to use in-depth counterintelligence tactics against them. By implementing our suggested best practices, you will be able to minimize threats to your enterprise and increase security posture and preparedness. You do not want your adversaries to gain the upper hand. And in some cases, they already have your network, so you need to push the adversaries out of your enterprise.