Reverse Deception: Organized Cyber Threat Counter-Exploitation (7 page)

Costs and Risks?

Successful deception may make it possible to achieve one’s goals at a lower cost, however that cost may be calculated. Deception, however, implies consequences. It is well to be aware that even the slickest deceptions will incur costs commensurate with the value of the goal achieved. If deception was necessary to achieve it, someone else was prepared to invest resources in denying it.

Designing and executing deception requires people, time, resources, and effort. Resources are never sufficient to do all the things one might want to do. If a hostile attack can be anticipated—as, indeed, experience shows it must be—and successful defenses are not certain—as experience shows they are not—then deception is only one more sensible defensive option. One does not deceive out of idle curiosity, because deception always has consequences which, by definition, incur some risk.

The obvious way to estimate the costs of deception would be to estimate man-hours spent or requisitions submitted in its planning and execution. Opportunity costs should also be considered—for example, what else were your resources not doing while they were deceiving? Also, what was the exchange ratio between benefits received from successful deception versus the direct costs and losses due to risks accepted? How certain are we that the adversary makes a similar calculation? Assuming the adversary behaves as we wish, will he value our success as we do, or will he accept the loss as “the cost of doing business” with us? In short, what value do we place on successfully deceiving the adversary relative to the costs and risks we have run?

Although cost and risk are central to deception, they are not our subject here.

Who Should Deceive?

The question of who should deceive is implicit in the cost question. And this raises two related questions:

What is the necessary skill set?

How do cyber deceivers get trained?

Deception is about manipulating behavior. If the manipulation is not conceived, designed, and executed competently, the adversary would be tipped off and withhold his cooperation, or worse, run a counter deception.

In the late 80s, an analysis of tactical deception at the Army’s National Training Center in California was done. It reached one firm conclusion: competent commanders deceive. Not only did they attempt deception more often than others, but their deceptions were more competently executed and their battles had better outcomes in terms of losses incurred and inflicted, and missions accomplished.
⁵
Military deception is only a special case of the survival value of deception displayed by all living things.

Sun Tzu, the Chinese philosopher of war, was very sensitive to the element of competency. He said, “All warfare is based on deception.” But master Sun looked beyond the value of deception in combat. He praised the general who is able to accomplish missions at low cost in lives and treasure “One hundred victories in one hundred battles is not the most skillful. Subduing the other’s military without battle is the most skillful” (from
The Art of War: A New Translation by the Denma Translation Group
, Shambhala Publications, Inc., Boston, 2001).

Competence at what? As deception is about behavior, this question immediately arises: What does the deceiver want the adversary to do? And what must his behavior be in order to induce that which he desires in the target or object? And beyond that behavior, what, if anything, must the deceiver do to ensure the adversary’s cooperation?

We maintain that a competent competitor is a deceptive one. Involvement in any competitive activity assumes sensitivity to the intelligence and competence of the adversary. One’s own plans must allow for surprise or unexpected adversary action, and to do so, must assume that preparations will be made for that unanticipated occurrence. Otherwise, one is left to rely on overwhelming strength and resources for success. Some leaders, generals, and coaches do try to win with overwhelming force, but the competent leaders, generals, and coaches know enough to prepare for the eventuality that the advantage of overwhelming strength may not be theirs. What then? Already competent, the competitor must resort to guile. If he is more than merely competent, he may not reserve guile for the last resort.

If the defender is morally and ethically justified in using deception to defend the network because the adversary is using deception in pursuit of his ends, who should be responsible for planning and executing defensive deception? Answer: the most competent and most creative defenders.

Any deception plan must balance potential gains against the costs and risks of failure or blowback.
⁶
The basic assumption of any deception operation must be that the adversary is also a competent operator, and thus has made as close a study as he could of the defenders’ behavior to support his attacks. That being so, the defenders must be aware of their own behavior to avoid tipping off the adversary. One might think of a poker player trying very hard not to fall out of his chair when he draws a fifth spade for his straight.

The potential defensive deceiver must be at least technically competent to ensure that the desired message is delivered to the adversary in a credible manner. For that, the deceiver needs to be familiar enough with the adversary to know to what the adversary is likely to react. And, ideally, the defensive deceiver is able to observe the adversary closely enough to know if the message has been received and if the adversary is believing it. The confidence with which a deception can continue is tied to how well the deceiver is able to know whether the ploy has been seen and accepted.

Clearly then, the defensive deceiver must be very knowledgeable of his own system, cleverer than the attacker, and a manager of a complex task. He must both use and generate intelligence. He needs to know and be able to call on and coordinate the efforts of organizations outside his own for information and support as his operation progresses through its life.

Life is the appropriate word. Deceptions end with success, failure, or ambiguity. Something happened, but we can’t say if the deception was responsible. With success, the operation must be closed and lessons learned. With failure, the operation must be closed, the damage limited, and lessons learned. With ambiguity, only the lessons must be learned.

But with all of them, there’s a key question at the end: Is there a way to weave a new effort out of the remnants of the old? Even with a failure, is it possible that the adversary, now that he knows we might try this and that, could be less alert to, or less sensitive to, a variation?

Active vs. Passive Deception

Deception, like intelligence, may have both passive and active aspects. Purely passive deceptions may only cause an attacker to expose his methods for our study. Active deceptions may involve setting up an attacker for an exploitation of our own.

Passivity characterizes most network defenses in that the defender waits for the attacker. Passwords are an example. They merely prevent an attacker from gaining easy access to network content, but by that point, the attacker has already learned something. For the defender, passwords are easy to administer and control. Used well and conscientiously administered in concert with other defenses, passwords can be very effective.

But holding an attacker at bay will not be enough. With sufficient incentive and enough time and resources, a determined attacker may gain access somehow. In the end, passive measures leave the initiative in the attacker’s hands. He calculates how much of his time and resources your data is worth.

As a fondly remembered counterintelligence instructor once said, “The purpose of a lock is not to deter criminals. It is to keep honest people honest.”

A
honeynet
—a vulnerable net set out to entice attackers so that their methods may be studied—is passive but also active in the sense that it can be placed or designed to attract a certain kind of attacker. It is true that the honeynet itself induces behavior in an attacker, but, if deception were part of the plan at all, the exploitation may be indirect or deferred.

Counterintelligence seeks not only to frustrate hostile attempts to penetrate friendly secrets. At its highest level, counterintelligence seeks ultimately to control the hostile intelligence service.
⁷
Active deception seeks to attract specific attackers so that they may be studied and their networks identified, but exploitation of the attacker and his net is the main aim. It seeks to manipulate the behavior of the attacker, the better to cause him to behave in ways advantageous to the defense. The exploitation is the culminating purpose of counterintelligence. The fact that one intelligence service achieves control over another only rarely testifies to the difficulty of doing so, but the goal persists.

Intelligence may be gathered in the course of a deception operation and then studied and integrated into a deception, but those are incidental spin-off benefits. At minimum, the active deception seeks to disadvantage the hostile attacker by causing him to accept unwise risks, gather erroneous information, or behave in ways embarrassing or damaging to his sponsor. At maximum, active deception seeks to destroy the attacker, at least figuratively, by causing him to behave not merely ineffectively, but also to become a source of disruption or loss to others of his ilk.

Clearly, there is a continuum of risk associated with deception, as there is with any competitive endeavor. The actions taken to beat a competitor are bound to elicit responses from the competitor. And the responses will be commensurate with perceptions of risk or gain on both sides. Risk of failure or blowback is always part of the calculation of how and to what extent deception can be used as an element of network defense.