CYBER DECEPTION
The Art of Camouflage, Stealth and Misdirection

[field_copyright]
Jun 01, 2021

Deception has been central to warfare for millennia; electronic deception has been in practice for a century; and cyber deception has been an important focus for decades. To the extent that it is mandated in policy and standards and supported in domestic and international law, cyber deception is established as a best practice – and yet there is reluctance, in some quarters, to use deception as a defensive strategy.

Furthermore, cyber deception has been critical to intelligence collection, adversarial management to actively defend, disrupt and deter, or creating effects on one’s opponent. A military can, for example, employ deception in a decisive engagement then disappear, re-spawn and maneuver within the domain. Hence, it is a principal concept of warfare. Any enterprise that has not operationalized cyber deception with its security plan is strategically disadvantaged against threats.

There are those who are competing aggressively against Canada in the cyber and cognitive domains. Foreign militaries have overrun networks of importance to Canada, purposefully interfered with critical infrastructure, attempted to influence and, in some case, subverted the democratic process. Canada’s adversaries are well practiced in misdirection and deception in the domain.

Russian military doctrine Maskirovka (disguise) covers a broad range of measures for military deception – from decoys, camouflage, concealment, imitation, manipulation, and disinformation across all domains (particularly cyber were Maskirovka is most effective).

A key aspect of military deception is surprise (vnezapnost), so the two are naturally practiced together. Russia has a recognized history of operating with a hybrid combination of elements for military power and influence – and cyber deception provides Russia with a new and effective leverage tool on the global battlefield.

BACKGROUND

Deception has been central calculus of warfare, diplomacy, business and sport since the beginning of recorded history. Electronic deception was used to great effect since WW1, and cyber deception for the past 40 years. The cyber deception technology market is currently estimated to grow to $12 Billion by 2022.

Global cyberthreat intelligence services use deception infrastructures to collect malware and to “fingerprint” the Tactics, Techniques and Procedures (TTP) of Advanced Persistent Threats (APT). Deception technology has also proven the most effective means of detecting zero-day exploits. Thus, cyber deception has been established as a best practice for cyber security for quite some time.

Joint Doctrine for Military Deception says that “military deception is applicable at each level-of-war and across the range of military operations including cyber. It is defined as being those actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions and operations, thereby causing the adversary to take specific actions that will contribute to the accomplishment of the friendly mission.”

The Interdepartmental Committee on Information Warfare, established in 1994, developed operational concepts for proactive defence, cyber psychological operations and deception. A Proactive Cyber Security Strategy released by the Treasury Board Secretariat, incorporated many of these ideas in 2009.

It is interesting to note that the Canadian Forces Information Warfare Conceptual Framework was developed by Lt(N) Robert Garigue, Ph.D., in 1995. As deputy commander of the Canadian Forces Information Operations Group (CFIOG) at the time, Garigue prophesized of semantic warfare and cyber deception in-depth.

The United Kingdom established its first research unit focused solely on cyber deception in November 2019. Reflecting growing awareness of the importance of deception in this domain, the National Cyber Deception Laboratory (NCDL) is administered by Cranfield University on behalf of the UK Ministry of Defence. Based at the MoD’s Cyber School at the UK Defence Academy, the NCDL recognizes deception as a “hallmark of military and intelligence operations.”

NATO Best Practices in Computer Network Defence, published in 2014 and co-authored by a number of Canadian representatives, re-enforced the need for cyber deception, forward-deployed intelligence collection and active defence. The Tallinn Manual International Law Cyber Warfare (Rule 61 – Ruses) permits cyber deception operations during both war and peace as an effective means of defence.

Cyber, by definition includes data and the electromagnetic (EM) spectrum. One would naturally expect the army, navy and air force to protect important platforms from detection across the EM spectrum – from visible light to radio waves (a form of electronic camouflage). You wouldn’t paint army vehicles bright orange, likewise, it’s important not to “paint” vital cyber infrastructures as obviously as some, surprisingly, do.

All military campaigns require stealth and deception ­– cyber is no different.

Resilience is important but has mostly focused on hardened static defences. Sometimes it’s best not to be in the line of fire, even if you think you’re bulletproof.

There is a huge benefit to the use of deception in defence of the digital battlespace. Cyber deception in defence is likely to lead to the most interesting development of cyber combat effort and activity.

The cost of a deception capability is substantively lower than the price imposed upon the adversary or the impact of a breach on one’s own systems, without the early detection afforded by deception technology. This is particularly true for complex infrastructures with unstable attack surfaces and the sophisticated attacker – where security management is most challenging. Moreover, deception activities often result in exposure of the adversary’s most sensitive tradecraft and tools.

CONCEALMENT AND MISDIRECTION

The Communication Security Establish­ment (CSE) of Canada has provided explicit cyber security guidance to departments on the matter of cyber deception, concealment and misdirection.

Similarly, the UK National Cyber Deception Lab advises “Network defenders should take a proactive approach by using military deception tradecraft to effectively defend against and manipulate the activities of attackers operating within their networks. Cyber deception offered a significant asymmetric advantage to the network defender, because they own the terrain and adversaries lack the defenders’ situational awareness.”

CYBER DECEPTION TECHNOLOGY

The efficacy of deception for defence in the cyber domain is well-established, with modern commercial services focused on detecting adversaries and collecting intelligence on their activities. Cyber deception for cyber security is comprised of three verticals: detecting adversaries, eliciting intelligence and adversary management.

Deception technology is also an established category of cyber security and defence. These systems can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, highly accurate, and provide unique insight into malicious activity of sophisticated actors, where conventional defence systems fail. Deception technology enables a more proactive security posture by seeking to deceive, detect and defeat threat actors before they can attack.

OFFENSIVE CYBER DECEPTION

Deceive, Detect, Disrupt & Deter

Canada’s adversaries are adept at offensive cyber deception. We see daily evidence of cyber psychological operations, misinformation, influence and social engineering campaigns against Canadian’s and institutions by foreign intelligence services and militaries. Principal among these tactics is social engineering.

Social engineering uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called “bugs in the human wetware,” are exploited in various combinations. Phishing tactics have proven to be among the most effective. Other means can take the form of:

  • Trojan horse
  • Spoofing
  • Luring
  • Man in the Middle attacks
  • Click-bate
  • Poisoning of domain name servers
  • False flag
  • Impersonation and Fraud
  • Meaconing navigational signals
  • Deliberate disruption, interference, or jamming.

CYBER DECEPTION SOLUTIONS

Examples of successful cyber deception solutions in wide use and acceptance:

  • Content Delivery Networks (CDN)
  • Virtualization and Cloud
  • Anonymizers
  • Organizational cloaking
  • Moving Target Defence (MTD)
  • Dark space
  • Honeypots
  • Honeynet
  • Tar pits
  • Randomness
  • Change processing / Storage
  • Misleading Information
  • Feed material
  • False flagging
  • Concealment (of system components)
  • Honeyclients
  • Black holing
  • Sink holing
  • Conflict networks
  • Circumvention network
  • Counter censorship
  • Packer staining
  • Recursive DNS protection
  • Flowspec BGP
  • Triggered content
  • Beaconing detection
  • Cyber threat intelligence
  • Deception technology when integrated with threat hunting, memory and ­malware analysis

LAW, ETHICS AND RISK

Although ethics dictate that cyber deception not be practiced against one’s own law-abiding citizens, it is a non-lethal and effective tactic against adversaries. The following are principal observations and findings with respect to legal use of active cyber deception in the Canadian context:

  1. Cyber Deception Technologies have been operating for half-a-century without court challenges.
  2. There is no express prohibition for cyber deception, domestically or internationally. Neither is there exclusivity to any parties or agencies.
  3. An organization not only has the authority to conduct cyber deception to protect their networks and assure the mission, they would appear to be explicitly obligated to do so in official security guidance, standards, regulations and best practices.

RESIDUAL RISK

The common straw-man argument against deception technologies is to raise the remote possibility that a deception technology (like a honeypot) could be compromised and used as a launching platform to attack third parties.

Of course, the 3rd party liability argument can be applied to all networks, computers or mobile devices. However, the difference here is that deception networks are much more carefully monitored and controlled than your average network. For example, many deception nets are engineered to throttle outbound traffic and prevent attacks. Secondly, they are designed to catch threat activity early, and hence are far more vigilant and secure than a conventional network. Thirdly, there are no established trust relationships or shared credentials between a deception net and regular users, thus preventing an attacker from moving laterally.

Furthermore, deception systems do not necessarily handle Sensitive information, Personal Identifiable Information (PII) or Private Communications, and have low false positive rates (demonstrating that only threat actors attempt to communicate with the system) – hence there are no security or privacy concerns.

Finally, cyber deception does not constitute fraud or entrapment under any legal interpretation. Research has found neither case law nor civil liability involving cyber deception.

There is negligible legal risk associated with the use of deception technologies, but there is clear (and expensive) liability to public and private organizations when they do not actively defend their networks. An organization is highly-exposed to both compromise and liability should they not comply with best practices or standards (and this includes cyber deception).

Re-shaping risk perception is important to exploring the art-of-the-possible when it comes to cyber deception solutions.

CONCLUSION

The Canadian Charter of Rights and Freedoms, and the privacy and security of Canadians must be the top concern when using cyber deception ops.

We have established that there is no prohibition on the use of cyber deception activities used against foreign adversaries. To the contrary, it can be argued that cyber deception controls should be mandatory, given that they are well established as best practices and explicitly written into standards.

It also makes good business sense because cyber deception lowers threat risk and liability while offering the best Return-on-Investment for cyber defence.

Moreover, cyber deception and intelligence are found to be very closely coupled.

___
Dave McMahon is Chief Executive Officer at Clairvoyance Cyber Corp.

For full discussion paper on this topic, visit: http://linkedin.com/in/cyberspacestrategist

RELATED LINKS

Comments