Reverse Deception: Organized Cyber Threat Counter-Exploitation Read Online Free
Author: Sean Bodmer
Tags: General, Computers, security
ethical, or social considerations.
The object of deception is to control, to the deceiver’s advantage, the behavior of an adversary.
The threat of deception adds an element of deterrence to other defenses.
Deception may facilitate intelligence gathering, which may then be used to improve defenses and as input to future deception plans.
Deflecting an adversary causes him to spend his time and resources harmlessly.
But, if the matter is sufficiently important and the goal is sufficiently desirable, an attacker may choose to be undeterred. What then? This is not the place to discuss tactics. Yet, as the manipulation of others’ behavior is the core of this book, we will make a suggestion: Go to an Internet search engine and search for “reflexive control.” You will find much to think about, especially in a report by Vladimir and Victorina Lefebvre, titled “Reflexive Control: The Soviet Concept of Influencing an Adversary’s Decision Making Process” (SAI-84-024-FSRC-E, Science Applications, Inc., Englewood, CO, 1984). You could also do an Internet search for “Vladimir Lefebvre.” Following the links is an interesting and educational journey.
Reflexive control is a concept under which one controls events by sequencing one’s own behavior to induce responses and to create incentives for the adversary to behave as one wishes. This indirect approach proceeds from that one thing over which the deceiver has sure control: his own behavior.
Costs and Risks?
Successful deception may make it possible to achieve one’s goals at a lower cost, however that cost may be calculated. Deception, however, implies consequences. It is well to be aware that even the slickest deceptions will incur costs commensurate with the value of the goal achieved. If deception was necessary to achieve it, someone else was prepared to invest resources in denying it.
Designing and executing deception requires people, time, resources, and effort. Resources are never sufficient to do all the things one might want to do. If a hostile attack can be anticipated—as, indeed, experience shows it must be—and successful defenses are not certain—as experience shows they are not—then deception is only one more sensible defensive option. One does not deceive out of idle curiosity, because deception always has consequences which, by definition, incur some risk.
The obvious way to estimate the costs of deception would be to estimate man-hours spent or requisitions submitted in its planning and execution. Opportunity costs should also be considered—for example, what else were your resources not doing while they were deceiving? Also, what was the exchange ratio between benefits received from successful deception versus the direct costs and losses due to risks accepted? How certain are we that the adversary makes a similar calculation? Assuming the adversary behaves as we wish, will he value our success as we do, or will he accept the loss as “the cost of doing business” with us? In short, what value do we place on successfully deceiving the adversary relative to the costs and risks we have run?
Although cost and risk are central to deception, they are not our subject here.
Who Should Deceive?
The question of who should deceive is implicit in the cost question. And this raises two related questions:
What is the necessary skill set?
How do cyber deceivers get trained?
Deception is about manipulating behavior. If the manipulation is not conceived, designed, and executed competently, the adversary would be tipped off and withhold his cooperation, or worse, run a counter deception.
In the late 80s, an analysis of tactical deception at the Army’s National Training Center in California was done. It reached one firm conclusion: competent commanders deceive. Not only did they attempt deception more often than others, but their deceptions were more competently executed and their battles had better outcomes in terms of losses incurred and
The object of deception is to control, to the deceiver’s advantage, the behavior of an adversary.
The threat of deception adds an element of deterrence to other defenses.
Deception may facilitate intelligence gathering, which may then be used to improve defenses and as input to future deception plans.
Deflecting an adversary causes him to spend his time and resources harmlessly.
But, if the matter is sufficiently important and the goal is sufficiently desirable, an attacker may choose to be undeterred. What then? This is not the place to discuss tactics. Yet, as the manipulation of others’ behavior is the core of this book, we will make a suggestion: Go to an Internet search engine and search for “reflexive control.” You will find much to think about, especially in a report by Vladimir and Victorina Lefebvre, titled “Reflexive Control: The Soviet Concept of Influencing an Adversary’s Decision Making Process” (SAI-84-024-FSRC-E, Science Applications, Inc., Englewood, CO, 1984). You could also do an Internet search for “Vladimir Lefebvre.” Following the links is an interesting and educational journey.
Reflexive control is a concept under which one controls events by sequencing one’s own behavior to induce responses and to create incentives for the adversary to behave as one wishes. This indirect approach proceeds from that one thing over which the deceiver has sure control: his own behavior.
Costs and Risks?
Successful deception may make it possible to achieve one’s goals at a lower cost, however that cost may be calculated. Deception, however, implies consequences. It is well to be aware that even the slickest deceptions will incur costs commensurate with the value of the goal achieved. If deception was necessary to achieve it, someone else was prepared to invest resources in denying it.
Designing and executing deception requires people, time, resources, and effort. Resources are never sufficient to do all the things one might want to do. If a hostile attack can be anticipated—as, indeed, experience shows it must be—and successful defenses are not certain—as experience shows they are not—then deception is only one more sensible defensive option. One does not deceive out of idle curiosity, because deception always has consequences which, by definition, incur some risk.
The obvious way to estimate the costs of deception would be to estimate man-hours spent or requisitions submitted in its planning and execution. Opportunity costs should also be considered—for example, what else were your resources not doing while they were deceiving? Also, what was the exchange ratio between benefits received from successful deception versus the direct costs and losses due to risks accepted? How certain are we that the adversary makes a similar calculation? Assuming the adversary behaves as we wish, will he value our success as we do, or will he accept the loss as “the cost of doing business” with us? In short, what value do we place on successfully deceiving the adversary relative to the costs and risks we have run?
Although cost and risk are central to deception, they are not our subject here.
Who Should Deceive?
The question of who should deceive is implicit in the cost question. And this raises two related questions:
What is the necessary skill set?
How do cyber deceivers get trained?
Deception is about manipulating behavior. If the manipulation is not conceived, designed, and executed competently, the adversary would be tipped off and withhold his cooperation, or worse, run a counter deception.
In the late 80s, an analysis of tactical deception at the Army’s National Training Center in California was done. It reached one firm conclusion: competent commanders deceive. Not only did they attempt deception more often than others, but their deceptions were more competently executed and their battles had better outcomes in terms of losses incurred and
Readers choose
Jennifer O'Donnell
Cyndi Friberg
John McCain
Eric Walters
H M Major
Jim Crace
Sandy Goldsworthy
Katy Moran