Deception has been a defense strategy in military and intelligence programs for hundreds of years. As cybersecurity techniques mature, we continue to borrow proven methods from more traditional security industries.
By Dick Wilkinson, IT Security Officer, New Mexico Judicial Information Division
Deception in the military setting is often as simple as setting out decoy items that create a false image of strength or create a feint to distract the enemy from the real intentions of your campaign. In the cybersecurity setting, we look to honeypots as the clear example of a deception tactic. Most people in the cyber field would say we are not using deception in a thoughtful or mature way. Honeypots are simple and usually easy to spot once you find your way into one. Creating decoys on the network seems like a waste of time and precious computing resources, so what would the benefit be to deception techniques in network defense?
Deception Experiment Through Penetration Tests
An American Federally Funded Research Lab ran an experimental series of penetration tests to study how deception or even the illusion of deception might impact a malicious actor’s methods or chance at success. I had the unlikely chance to participate in this event as a human test subject. I happened to be looking for some short-term contract work and a two-day pen test event came up in my search. The pay seemed very generous and the details very light. I had to follow through and see where this event might lead. Only upon the final contract signature did I find out the event was a human test subject experiment.
The experiment was designed to measure stress and cognitive response to a complex network environment. The room was built with private stalls with no interaction between participants. Each test subject was issued a biometric measurement watch that measured heart rate and other stress markers. Each stall had two computers, one to launch attacks against the test environment and the other for research on the external internet. All activity on both machines was recorded via screen capture. Over the course of two 8-hours sessions on consecutive days. Each person was given a vague set of instructions to penetrate the network and collect all data that could be interesting in a pen test report; demonstrate vulnerabilities, exploits and access, and then report your findings. The test hinged on one sentence in the instructions of some users but not in the instructions for others. The instruction: Look for signs of deception on the network, and if found include in your report.
Reality or Deception?
The idea of deception on the network was meant to lead you into a false sense of self-doubt. Do I slow down? Do I second guess every step to look for reality or deception, or do I just get on task and start collecting data? The real world does not have very many networks with deception present. Almost no pen test methodology is taught with deception in mind, we believe what we see is real and we execute accordingly. Even the idea that deception might be present is a very unusual prompt for a pen tester or hacker. I was one person with the deception present in my instructions. I sat for eight hours running down rabbit holes only to find one completely void virtual machine after another. I then sat for an hour of psychological tests asking if I felt frustrated or misled or if my confidence was in question. The next day was more of exactly the same. In this case, while I can’t truly establish my own personal baseline, I feel certain deception ruined any chance of success for me. The myriad of easy to see and useless to penetrate machines left me scratching my head.
The results of this project were published with very little conclusive evidence other than that the testing method was valid and deception may impact behavior. The final note of the report was to encourage further research into enhanced deception techniques. The lesson learned for network operators and network defenders from these experiments is that deception will have mixed results and only a thoughtful plan could lead to enhanced protection. The balance of resources invested vs. results gained would be hard to prove. Creating deception for a specific type of attack method may yield some results but again, proving a negative would be a challenge. Only the most mature security program should even consider deception techniques and it should not be at the cost of other resources.
About the Author
Dick Wilkinson is the Chief Information Security Officer on staff with the Supreme Court of New Mexico. He is a recently retired Army Warrant Officer with 20 years of experience in the intelligence and cyber security field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.