Reverse Deception: Organized Cyber Threat Counter-Exploitation (5 page)

If seen, run away.

Counterattack if there is no alternative.

When none of the preceding three are possible, use wits and resort to subterfuge.

Hog-nosed snakes and possums feign death
²
. Puffer fish make themselves too big and unpleasant to swallow, and skunks, well… you get the idea. The substance of this book explores the human, rational, and computer network analogs.

Deception’s distinguishing characteristic is that its purpose is to affect behavior. (You can’t deceive an inanimate object, after all.) So the purpose of the deception is to manipulate someone to act as he would not do if he understood what the deceiver were up to. However, taking that desired action probably will not be sufficient. Tricking the bank manager into giving up the combination to the vault still leaves the job of gathering up the money and hauling it away, not to mention avoiding the police long enough to enjoy it.

So deception has three parts:

Define the end state (after the deception succeeds, what is the state of things?).

Perform the action(s) that causes the adversary to cooperate, or at least not interfere with the deceiver’s action.

Execute the action required to secure the intended advantageous state.

We give these parts names: the
objective
, the
deception
, and the
exploitation
. Without all three, there can be no deception plan. It is possible to fool, mislead, or confuse. But to do so may cause the adversary to take some unforeseen or unfavorable action. And unless one has the intent and capability to exploit that action induced in the adversary to achieve a goal, what was the purpose of the whole exercise? Of what benefit was it?

Merely hiding something is not deception. Camouflage is an example. Camouflage hides or distorts the appearance of an object, but it does not alter the hunter’s behavior. A newborn deer is speckled and has no scent—essentially invisible to predators—so that it can be left alone while its mother browses. But deer make no effort to defend a fawn by distracting or attacking predators should the fawn be discovered. In contrast, some ground-nesting birds lay speckled eggs, make nests of local materials, and have chicks of a fuzzy form and indeterminate color to discourage predators. But they also will feign a broken wing in efforts to distract predators and lead them away from their nests. They are deceiving their enemies in a way deer do not. On the other hand, some birds will attack predators near their nest, attempting to drive those predators away, but they don’t try to lead the predators away from the nest.

Deception, then, is about behavior both induced in the adversary and undertaken by the deceiver to exploit it. To deceive, it is not sufficient to induce belief in the adversary; it is necessary also to prepare and execute the exploitation of resultant behavior.

As long as the target or object of our deception does what we want him to do, that should be sufficient for deceptive purposes. The adversary may have doubts. He may take precautions.
³
The deceiver’s response is not to embroil himself in attempting to discern the quality of his adversary’s beliefs—a fraught task in the best of times—but to make contingency plans of his own to maintain the initiative and achieve his aims whatever the adversary may do. The adversary’s actions are sufficient warranty for his beliefs.

Purely as a practical matter, how likely is it that the deceiver will be sufficiently certain of his knowledge of the state of mind of an adversary partially known and far away? As deceivers, we may know what the adversary knows because we told him or because we know what someone tells us he was told. But can we know what the adversary believes? What he intends? How today’s environment impacts this morning’s beliefs?

The only thing in the world anyone controls with certainty is his own behavior. From within an organization where action must take place through agents and intermediaries, there is little enough control. As deceivers, we may know only what we intended by acting in a certain way and what we intended if the adversary responded in the anticipated way. The purpose of the deception, after all, is to make the adversary’s actions predictable!

You will say that not knowing his state of mind or beliefs, we cannot know with assurance whether the adversary acted as he did in accord with our intentions or in a deception of his own in which he is using secret knowledge of our intentions. You are right to say so. That is why the deceiver, as well as—and perhaps more than—the deceived must have doubts and contingency plans. It is the deceiver who accepts the added risk of committing to exploiting activity he has initiated.

Card workers (magicians) use the theory of the “Out” as insurance that their tricks will amaze the audience even if they fail. An Out is a piece of business prepared in anticipation of something going wrong in front of live audiences
(
see
“Outs”: Precautions and Challenges for Ambitious Card Workers
by Charles H. Hopkins and illustrated by Walter S. Fogg, 1940). Failure, to one extent or another, is highly likely in any effort to manipulate another. By anticipating when and how failure may occur, it is possible to plan actions to not merely cover the failure, but to transition to an alternate path to a successful conclusion.

Does this differ from old-fashioned contingency planning? Perhaps radically. In a contingency plan, typically the rationale is: “I’ll do A. If the adversary does something unanticipated or uncooperative, then I’ll do C, or I’ll cope.” The theory of Outs would have it: “I’ll do A, but at some point the adversary may do something else, B or B’. If so, I am prepared to do C or C’ to enable me, nonetheless, to achieve A.” The emphasis is on having anticipated those points in the operation where circumstances may dictate change and, having prepared alternatives, enabling achievement of the original objective nonetheless. “It’s the end state, stupid!” to paraphrase.

Deception consists of all those things we must do to manipulate the behavior of the target or object of our operations. It follows that deception is not necessarily or even primarily a matter of technical mastery. In the context of this book, it is a state of mind that recognizes it is the value of the information in the network that attracts hostile interest. In order to penetrate protected networks, certain specific items of intelligence are needed. And, therefore, it is the adversary’s interest in these items of information and his need for the data on the network that make it possible to induce him to act against his own interest.

This insight was emphasized by Geoffrey Barkas, a British camouflage expert in North Africa. (Before and after the war, Barkas was a successful movie producer.) After the Germans had captured one of his more elaborate schemes, Barkas thought the Germans, now aware of the extent of British capabilities, could not be fooled again. They were though, and Barkas realized that as long as the enemy had a good intelligence service to which enemy commanders paid attention, it was possible to fool them again and again (as described in
The Camouflage Story (From Aintree to Alamein)
by Geoffrey and Natalie Barkas, London, Cassell & Company Ltd, 1952).

Barkas realized that it is the need for information and willingness to act on the information acquired that creates the vulnerability to deception. It is no more possible to avoid being deceived than it is to engage in competitive activity without seeking and using information. One can try to do so, and one might succeed for a time. Without intelligence, one could blunder, and in blundering, confuse an opponent into blundering also, but one could not deceive. Deception presupposes a conscious choice. Deception is in the very nature of competitive activity.

The interplay among competitive, conflicting interests must inform the extent, expense, and means used in defending the integrity of the information/data stored in networks. Both attack and defense are preeminently human, not technical.

An excellent, if trivial, example is this football ploy: A quarterback gets down to begin a play, as does the opposing line. He then stands up and calmly walks across the line between the opposing defenders, and then sprints for the end zone. By the time the defenders recover, it is too late. (You can see this in action at
http://www.koreus.com/video/football-americain-culot.html
.) This is perfectly legal. It’s done right in plain sight. Success depends entirely on surprise (and a speedy quarterback). It won’t work often, but when conditions are right, it meets all the requirements of a deception plan well executed.