Reverse Deception: Organized Cyber Threat Counter-Exploitation (22 page)

Major Martin was equipped with false plans and papers, and left with a life preserver off the shore of Spain. As hoped by the Allies, Major Martin and his papers made their way to the German high command. After verifying the plans were authentic, the Germans were certain that the Allies were going to assault through Greece and not Sicily, as previously thought. Hitler moved a division out of Italy, and the Allies attacked with little to no resistance.

Applying to Cyber

In your deception, if you proclaim to your personnel across your organization that you are moving critical systems to a specific location, this could be considered a ruse to lure the threat to that location. This type of deception can also be seen in
content staging
, which is the generation of false information, documentation, or actual operational information that has been modified and duplicated across your enterprise. This makes it difficult for the ones who are stealing your information to identify which data source has the actual information they are seeking.

Displays—A Big Hack Attack

As the dawn breaks across the western Atlantic Ocean, two F-25 Virtual Attack Fighters (VAF) take off from Seymour Johnson Air Force Base. Captains Bjork Williams and Robert Oehlke find themselves flying another standard combat air patrol along the East Coast. Recently, terrorist groups have acquired late 20th century U.S. Navy Aegis cruisers and have been conducting raids upon the new Border states of the Virgin Islands and Bermuda. As the two aircraft make their way out to sea, clouds begin to roll in and the ocean surface is quickly obscured. Approximately twenty minutes into the mission, a surface vessel is picked up on the multi-spectral imaging and sensor system aboard the F-25s. Even though the target is identified as a fifty-foot catamaran, the two pilots decide to buzz by and take a look. As they break through the clouds the pilots realize something is drastically wrong. Three Aegis cruisers appear before their eyes, while their computers still show only a small watercraft. Hackers aboard the cruisers tapped into the F-25 imaging system and altered the information processed within the systems. Before the pilots can react to the trap, their aircraft are shot by a short-range electro-magnetic pulse weapon, and fall powerless into the sea. Captains Williams and Oehlke have just become victims of Virtual Deception
.

—Lt York W. Pasanen, “The Implications of Virtual Deception,”
Air & Space Power Chronicles
(April 1999)

In the everyday walk of life, deception is one of those taboo things that people usually frown upon. People do not like to be deceived and usually resent the deceiver. “Honesty is the best policy,” so we are told in our youthful years by parents and role models alike. What is it like when we are the ones who deceive? How do we feel about it when we deceive? Is turnabout truly fair play? Do we justify it by saying, “He doesn’t need to know” or “She will find out about it later”? Perhaps we withhold important information in a passive deceptive manner for a number of reasons, but is it okay when we do it to others after they do it to us (with the same justification that it is not right)? Don’t we all do it from time to time?

Applying to Cyber

What your threat knows about you is one of the most important parts of your organization you want to protect. That is why most security teams talk about OPSEC, which is the active security of your organization’s operations and information. What you display to your threat is critical, especially when it comes to deception planning. You do not want your threats to identify your deception or your ability to implement a deception that could hinder their objectives.

Another example is the exploitation of the output of your threats’ tools. If you can display incorrect information to their reconnaissance tools, network scanners, listeners, and so on, you could lead them in the direction of your choosing.

Deception is a powerful tool, especially when you enter the cyber world, where deception is much easier to pull off because, generally, your threats are entering your network from a remote location and without physical access to your organization.

How many used car salesmen get a bad rap because they intentionally misrepresent the bottom line? But wait, aren’t they just attempting to offer a starting point for negotiations? Should they be vilified for proven marketing techniques, and aren’t deceptions just advertising on steroids? A good used car salesman will be a student of marketing and human nature.

What is the difference between unethical and ethical advertising? Unethical advertising uses falsehoods to deceive the public; ethical advertising uses truth to deceive the public
.

—Vilhjalmur Stefansson

Mankind was my business
.

—Ghost of Jacob Marley in
A Christmas Carol

The art of persuasion is very important when dealing with an organized threat, as you must earnestly go out of your way to allude to and misrepresent your security posture in a way that will ensure your threat takes the bait. You must not only understand people, but also empathize with their situation and anticipate their next thoughts. Such insight is sought and eludes all but the most astute.

You should take into consideration where your threat currently is within your enterprise and understand which systems might be targeted next. Being very familiar with standard operating procedures for a precision attack and exploitation methodology is important. You want to understand what your threats are after and know how they might move through your network.

Knowing response methodologies in some cases as an attacker’s methodology may contribute to identification of future targets and objectives. Great pains go into decrypting and reverse engineering the thought process and decision points of the targeted decision maker. Regardless if this is a military or civilian activity, the more that is understood about the target, the better the picture is of what their intentions are.

The military deception staff and the advertising staff have both developed plans to present a message to their audiences. The military target is the center of gravity (COG), and the advertiser target is the decision maker who will purchase the car. Strangely enough, the COG in a military deception is the adversarial decision maker whom the deception staff is attempting to influence. Can the message get to the decision makers and will it be understood? Both groups spend much of the planning process ensuring that these goals are achieved.

When planning a deception against a skilled target, you should take into consideration the lengths the target will go to detect a deception. You will need to understand the strengths and weaknesses of your deception in order to make it as perceptually consistent as possible, especially when operating across a large enterprise or organization.

Some counterfeits reproduce so very well the truth that it would be a flaw of judgment not to be deceived by them
.

—Francois de La Rochefoucauld

Finally, the payoff question: Will the message be acted upon? A lot of time, resources, and effort are put in motion to ensure that this happens. It is the payoff moment for the planners. Will the auto dealer receive revenue and move products? Will the military deception planners get the COG to act in a way that is more favorable to friendly forces? Will your threat take action and perform according to your COG planning?

What are we selling? Is the deception planner giving information to the adversary with malice in mind? Is the advertiser presenting something the focus (the decision maker capable of taking the desired action) really
needs or wants
? In deception, the planner usually displays something the COG expects according to his personal bias and beliefs.

Never attempt to persuade people until you have listened to them first
.

—Morey Stettner,
The Art of Winning Conversation

In order to know what people expect, you need to be a quiet, patient student of them. There are various means to gain a better understanding of the individual you seek to persuade, usually either by observation or listening. Much can be said if you have gleaned enough information about someone to identify where he will go next or what car he will purchase. Such insight is the goal of everyone from advertising executives to intelligence professionals. There is a thought process of interpreting the nature of the focus, who is always a human, and having a better understanding what the objectives and motivations of the focus may be. Even simply monitoring events while you respond to the adversary or focus may help you better understand what he is after.

The people who can predict behavior will dominate whatever discipline they apply themselves to. In this way, advertisers and deception specialists also play on the personal biases and wants of an individual to get that individual to purchase their product. Is the car really necessary? Most people probably do not need a new car, but will purchase one for a variety of reasons, such as the lure of a new automobile, a desire to “keep up with the Joneses,” a feeling of personal obligation after befriending the salesman at the dealership, and the belief that they can afford it. In the same way, the personal bias of the focus looms as an overbearing emotional anchor, which helps sell the deception. It is important to understand the objective of the focus. Is it espionage, information, financial theft, or long-term persistent remote control of an enterprise network?

The target in deception is the single focus of the COG, while an advertising campaign tends to shotgun out a message to a much broader distribution. This technique might imply that advertising campaigns more closely resemble psychological operations (PSYOPS); however, there is one notable distinction. It’s true that the advertising campaign is widely broadcast, but the intended audience is the same as with a deception: the COG or decision maker in a specific organization. This is why advertising sometimes seems more closely aligned with deception theory than the PSYOPS technique.

Deception is sometimes difficult to pin down, which usually means that it was effective. If Alice told Bob something that was deceptive, and Bob acted on that information the way Alice wanted him to, then her deception was effective—game over.

Why Use Deception?

During the Zhou Dynasty in the Warring States Period (475–221 BC), there was a prominent general named Sun Tzu who served the government of China. These times were very trying and violent because China was divided. Sun Tzu’s strategic philosophy was succinct: “If you know your enemy and know yourself, you will not be defeated in a hundred battles.” Sun Tzu believed that knowledge of the truth, and the wisdom derived from it, was the bedrock of victory. In
The Art of War
Sun Tzu wrote that the most powerful weapon of warfare was information, and he knew that if he managed what information his adversary was able to obtain, he could manipulate his adversary’s actions.

Anything worth having is a thing worth cheating for
.

—W. C. Fields

Sun Tzu surmised that, “All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe that we are away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder and crush him.”

Sun Tzu knew that by establishing and managing the complete information environment early on, he would essentially control and subsequently own the decisions of his adversaries without actually engaging in armed conflict. “Thus it is that in war the victorious strategist only seeks battle after the victory has been won, whereas he who is destined to defeat first fights and afterwards looks for victory,” He continued, “Supreme excellence (in strategy) consists in breaking the enemy’s resistance without fighting.” There can be no argument that if he could get his adversaries to forfeit without one single armed engagement, he could save an immeasurable amount of resources, including warriors and equipment that could be used for his next campaign. Attrition is the enemy of success, and no (or limited) losses make an army that much stronger for its next engagement.

Historically, we can see the importance of deception to the Chinese, but what about contemporary practice? Mao Tse-tung concluded, “To achieve victory we must as far as possible make the enemy blind and deaf by sealing his eyes and ears, and drive his commanders to distraction by creating confusion in their minds.” This narrative can leave no doubt as to the Chinese Information Warfare doctrine. For many years, the Chinese people have lived Information Warfare, and the United States has struggled to grasp its importance, while all the time not understanding the Chinese expertise in this area.