Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means •...
Transcript of Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means •...
![Page 1: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/1.jpg)
1
Designing Deception Operationsfor Computer Network Defense
Jim YuillNorth Carolina State University
jimyuill-at-pobox.com
Fred Feerconsultant; CIA, RAND, ret.
ffeer-at-comcast.net
Dorothy DenningNaval Postgraduate School
dedennin-at-nps.edu
![Page 2: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/2.jpg)
2
Presentation OverviewAbstract: Deception is an appealing means for computer network defense (CND), as it pits the defender's strengths against the hacker's weaknesses.
This presentation explains how deception operations can be designed and developed for CND. Deception processes, principles and techniques are presented.
The presentation focuses on enduring principles that are of use for conducting deception operations. Applications to honeypot systems are also provided.
![Page 3: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/3.jpg)
3
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 4: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/4.jpg)
4
I.A. The Opportunity for Using Deception
• Deception can pit the defender’s strengths against the hacker’s (e.g., adversary’s) weaknesses
• Hacker’s weaknesses:– hackers often rely on a single source of information:– the data is easily manipulated– the hacker is highly vulnerable to deception
• Defender’s strengths:– has physical control of the network– knows the network well
• Deception provides an offensive security-measure:– it can be used to attack hackers’ decision-making processes
![Page 5: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/5.jpg)
5
I.B. Deception Principles
• Effectively deceiving an adversary is a job skill
• Presenting processes and principles applicable to all deception operations
– technology changes, but
– the principles of reinforcing the desires and perceptions of the deceived will not change
![Page 6: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/6.jpg)
6
I.C. What is Computer-Security Deception?
• Computer-security deception: – actions taken to deliberately mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer security
• Deception aims to:– mislead the hacker into a predictable course of action or
inaction that can be exploited
• Tricking the hacker, or making him think a certain way,– is only a means to an end
![Page 7: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/7.jpg)
7
I.D. Our Research
• Developed a how-to manual for deception operations– Abridged manual distributed for conference– Full manual available to DoD personnel (contact Jim
Yuill)
• Deception systems R&D– two novel honeypot-like systems– used honeynet for testing
![Page 8: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/8.jpg)
8
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 9: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/9.jpg)
9
II.A. Tools and Techniques
• Honeypots: computers whose purpose is for hackers to break into them
• Honeynet: a network of honeypots
• Honeypot purposes:– prevention, detection, response, intelligence
• Other uses of deception– firewall stealth– steganography, etc.
![Page 10: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/10.jpg)
10
II.B. Honeynet Example--as seen by hacker(maintenance backdoor for mainframe network)
밷ackdoorssh server
network밷ackdoor
firewall
innerssh-server
file server
Internet intranet
Implemented Deceptions,accessible to target
Notional Systems(i.e., non-existent)
network-perimeter
firewall
![Page 11: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/11.jpg)
11
Honeynet Example--actual implementation
Internet
VLAN (1)
밷밷밷밷ackdoor""""ssh server
inner ssh-server,network-perimeter firewall,
file server
honeynet'sfirewall &
router
honeynetmonitor
VLAN (3)
VLAN (2)
managedswitch
spanningport logging:
syslog,sebek
밷밷밷밷ackdoor""""firewall
![Page 12: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/12.jpg)
12
II.C. Building Honeypots
• Hacker surveillance:– external to honeypot:
• firewall logging, traffic sniffing– inside honeypot:
• keystroke logging: sebek• shell logging• send log records to another computer
• Hacker containment:– external firewall– to be safe: allow connections in, but not out
• False content: can be very expensive and difficult
![Page 13: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/13.jpg)
13
II.D. The honeyd Honeypot
• honeyd impersonates computers– at unused IP addresses
• can have many fake computers– thousands (e.g., by using 10.0.0.0)– many more fake computers than real computers
• promising security device, for:– prevention: thwart scanning– detect scanning
![Page 14: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/14.jpg)
14
Honeyd’s Impersonations
router
real
honeydserver
fakeEthernetswitch
![Page 15: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/15.jpg)
15
II.E. Honeyfiles
• Bait files, on network file server– e.g., passwords.txt
• Decentralized deployment• Centralized alarm
organization'snetwork
workstation
workstation workstation
webserverDBMS
FILESERVER
![Page 16: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/16.jpg)
16
II.E. Further Reading
• Honeynet Project– http://www.honeynet.org– book: Know Your Enemy, 2nd edition (not 1st)
• Lance Spitzner’s book: Honeypots
![Page 17: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/17.jpg)
17
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 18: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/18.jpg)
18
III.A. The Deception-Operation ProcessDeception-Operation Development
PlanningBuild the Deception
Prepare to Engage the Target
ContinuationDecisionmodify deception operation continue deception-operation
as is
Termination
Target Engaged
Target Deceived Exploit Target's Response
Feedback
Deploy Deception-Story
![Page 19: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/19.jpg)
19
III.B. Deception-Operation Development
Deception-Operation Development
Planning
" Goals and objectives" Target identification
& analysis" Risk analysis" Operations security
Build the Deception
" Deception story" Feedback" Termination plan" Event-schedule
Prepare toEngage the Target
" Exploit for target actions
" Response for problems" Coordination with
network ops
![Page 20: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/20.jpg)
20
The Deception Story
• deception story: induces the target to take the intended action
• presented to the target in his observation arenas
• the most effective observation arenas are the target’s intelligence sources
![Page 21: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/21.jpg)
21
III.C. Engaging the Target
Target Engaged
Target Deceived
� story received� story accepted� intended-action taken
Exploit Target's Response
� feedback collected and analyzed� target's-action exploited
Feedback
![Page 22: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/22.jpg)
22
III.D. Deception-Operation Termination
• preparing for the various termination conditions– success, failure
• the target often discovers the ruse– when his response to the ruse is exploited
• control exposure of the deception operation– so it can be used again– a cover story may be needed
![Page 23: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/23.jpg)
23
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 24: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/24.jpg)
24
IV. Deception planning
IV.A. Deception opportunity analysis
IV.B. The deception objective
IV.C. Target identification and analysis
IV.D. The target’s intelligence process
![Page 25: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/25.jpg)
25
IV.A. Deception Opportunity Analysis
• Extend and support the achievement of friendly objectives
• The deception operation should be fully integrated with the overall CND effort
• Compatible with, and coordinated with, the network’s security and production operations
![Page 26: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/26.jpg)
26
Security Models Reveal Opportunities
offense
1) Footprintingidentify area ofoperation, e.g.,network-addressranges
2) Scanningidentifycomputers, OSs,servers
3) Enumerationidentify useraccounts, fileshares, make andtype of servers
4) Gaining Accessattemptunauthorizedaccess
5) Escalating Privilegeif only user-access,gain full control
6) Pilfering:search system forclear-textpasswords, andtrust-relationships
7) Covering Trackshide tools, clearlogs, and removeother evidence
8) Creating Back Doorsensure continuedaccess
offensedefenseintelligence
intelligenceintelligence intelligence offense
Hacking process, from Hacking Exposed
![Page 27: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/27.jpg)
27
IV.B. The Deception Objective
• GEN Dudley Clarke, WWII deception planner– ...it became a creed [among deception planners] to
ask a General, “What do you want the enemy to do,” and never, “What do you want him to think?”
• The deception objective is the desired result of the deception operation; it consists of:1. the intended target action, and2. the deception exploit
![Page 28: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/28.jpg)
28
The Target Action
• The target-action is a statement of what the hacker is to do (or not do) at some time and location
• It is always stated in terms of specific actions,– “cause the targets’ attacks against our server to be
performed, instead, against the honeypot server”
• “have the hacker think that the honeypot server is the real server”– is not a target-action, rather, it is a desired perception
![Page 29: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/29.jpg)
29
The Deception Exploit
• The deception exploit is a statement of how the target-action will benefit CND– e.g., through attack detection, prevention, or response
• ALWAYS a positive action– what will friendly side do when the target takes the intended
action?
• May, or may not, involve a response against the target– attack detection that initiates a response, or– attack prevention, e.g., deceptively hide network assets
![Page 30: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/30.jpg)
30
The Deception Operation’s Ultimate Goal
• The deception operation’s ultimate goal:– successful completion of the deception exploit
• The deception-story and ruses:– just the means for inducing the target-action
• The deception planner can easily be captivated by the ruse’s intrigue, – and lose sight of the deception objective
![Page 31: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/31.jpg)
31
IV.C. Target Identification and Analysis
• It was so important to the deception work to be able to put oneself completely in the mind of the enemy, to think as they would think on their information, and decide what they would do.– WWII deception planner
• Deception attacks the target’s perception and his thinking process, so
• Deception is more effective with intel on the target:– who he is, how he works, and how he thinks
![Page 32: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/32.jpg)
32
IV.D. The Target’s Intelligence Process
• For the deception operation to work, the target must:– receive the deception story, AND– interpret it as intended, AND– take the target action
• Highly uncertain!– but we need certain outcomes, for deception to be useful
• The target’s intel collection:– he actively and eagerly seeks info– provides a predictable channel for deception story
![Page 33: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/33.jpg)
33
Exploiting the Target’s Intel Process
• Hacker intel processes and tools are well known, e.g.,– port scans (e.g., nmap) and vulnerability scans (e.g., nesus)– footprinting, social engineering
• Vulnerabilities to deception, in target’s intel process:– single sources of information (no cross-validation)
– info that is superficial and easily misrepresented (e.g., ping)
– times when target is naïve (e.g., during his initial recon)
– intel processing by dumb automated agents (e.g., worms)
![Page 34: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/34.jpg)
34
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 35: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/35.jpg)
35
V.A. The Deception Story
• deception objective: induce a specific target-action that benefits CND
• deception story: induces the target action– implemented using various ruses
• desired perception: a perception, if held by the target, – that will cause him to take the intended action
• deception story is an outline of:– how the computer system will be portrayed,– to cause the target to adopt the desired perception
![Page 36: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/36.jpg)
36
V.B. The Deception Story’s Essential Design-Criteria
• plausible; must appear to the target as:– appropriate, from engineering and operations perspectives– something the defender is capable of doing– consistent with real systems and operations
• receivable, by target’s intel
• verifiable, if target uses multiple intel sources
• efficacious: – induces desired perception and target-action.
• implementable, by the deception planner
![Page 37: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/37.jpg)
37
V.C. Design Principles for the Deception Story
Design Principles #1 and #2
1. Inducing the target-action
2. Making the story believable:– persuade the target to believe something he expects– show things that are normally concealed
![Page 38: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/38.jpg)
38
3. Preventing the target from uncovering deception
• Minimize falsehood– make the story simple– weave the story into the truth (powerful verification)– show things that are normally concealed
• by displaying expected indicators
• Minimize the target’s scrutiny of deceptions
![Page 39: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/39.jpg)
39
Design Principles #4 and #5
4.Ensure the target receives the story– use the target’s intelligence sources to communicate
the deception story to him
5.Revealing the story:– let the target piece the story together by inference
![Page 40: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/40.jpg)
40
6. Implementing the deception story
• Parts of the story to be implemented, based on:– how the target receives the deception story– what the target expects to see
• Some parts don’t have to be implemented:– parts of the story are tied to the truth– parts of the story can be notional
![Page 41: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/41.jpg)
41
7. Realism in the deception story
• The degree of realism needed is a function of:– the target’s intelligence capabilities, and– the target’s time available
• Design the story so needed realism is minimized
![Page 42: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/42.jpg)
42
Outline
I. IntroductionII. Current deception technologyIII. An overview of deception operations IV. Deception planningV. Developing the deception storyVI. Conclusion
![Page 43: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/43.jpg)
43
VII. ConclusionDeception-Operation Development
PlanningBuild the Deception
Prepare to Engage the Target
ContinuationDecisionmodify deception operation continue deception-operation
as is
Termination
Target Engaged
Target Deceived Exploit Target's Response
Feedback
Deploy Deception-Story
![Page 44: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/44.jpg)
44
Deception: Ends vs. Means• Computer-security deception:
– actions taken to deliberately mislead hackers and to thereby cause them to take (or not take) specific actions that aid computer security
• The deception objective is the desired result of the deception operation:– the intended target action, and the deception exploit
• The deception story: creates desired perception
• Communicate deception-story via target’s intelligence process
![Page 45: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/45.jpg)
45
Current and Future Research
• Completed– How deceptive hiding works (for CND, also OP-SEC)– Psychological vulnerabilities to deception– Deception bibliography for computer security
• Jim Yuill– Battlefield intel process (IPB) applied to network security– R&D to extend honeyd deception– Managing data collected during investigation: intel, computer
security, etc.– Problems in academic computer-science research methods
![Page 46: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/46.jpg)
46
Authors
• Jim Yuill is a senior PhD student in the Computer Science Department at North Carolina State University. This paper is part of his dissertation. Jim previously worked at IBM in operating systems development. jimyuill-at-pobox.com
• Fred Feer is retired from a career with the U.S. Army counterintelligence,CIA, RAND and independent consulting. Deception has been an interest and area of professional specialization for over 40 years. ffeer-at-comcast.net
• Dr. Dorothy Denning is a Professor in the Department of Defense Analysis at the Naval Postgraduate School. She is an ACM Fellow, and the recipient of several awards, including the National Computer Systems Security Award. dedennin-at-nps.edu
![Page 47: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/47.jpg)
SPRI 47
Survival in a Sea of Deception
![Page 48: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/48.jpg)
48
Part One
Deception: Why
![Page 49: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/49.jpg)
SPRI 49
Darwinian Deception
!As a species, our ability to adapt to changes in the environment, avoid threats and outwit competition has been the key to our survival and dominance.
!The realities of the universe we inhabit insure that witting adaptability remains at the heart of survival.
!Who deceives may not always win but the chances are better and the losses will be lower.
![Page 50: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/50.jpg)
SPRI 50
Uncertainty Prevails
! Time! Randomness! Parallelism! Interactivity! Uncertainty ! Necessity of Action
![Page 51: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/51.jpg)
SPRI 51
Example #2
![Page 52: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/52.jpg)
SPRI 52
Ancient Wisdom
!It is well to hurt the enemy by deceit, by raids or by hunger and never be enticed into a pitched battle, which is a demonstration more of luck than of bravery. Maurice, The Strategikon, 6th century
!Battle should only be offered if there is no other turn of fortuine to hope for, as from its nature the fate of battle is always dubious. Napoleon Bonaparte, 1809
![Page 53: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/53.jpg)
SPRI 53
Current Wisdom
! “…the empirical fact of nonlinear dynamics, when coupled with the unavoidable mismatches between reality and our representations of it, reveal fundamental limits to prediction, no matter how much information and processing power technological advances may one day place in human hands.”
Barry D. Watts. Clauswitzian Friction and Future War. Washington DC: McNair Paper 52,
National Defense University, Oct 1996, p 126.
![Page 54: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/54.jpg)
SPRI 54
Why Do Deception?
!Good: to survive
!Better: to control/reduce uncertainty
!Best: to seize and exploit an advantage
![Page 55: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/55.jpg)
SPRI 55
So, Why Isn’t Everyone Doing it?
! First, everyone who can does !To do it poorly may be worse than not
trying at all.! It requires competence at all levels! It means acceptance of risk and
responsibility
![Page 56: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/56.jpg)
SPRI 56
The wages of Deception
![Page 57: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/57.jpg)
SPRI 57
The Three Kinds of Knowledge
!Type I: Facts--things known!Type II: Unknown facts--things not known,
but knowable, I.e., somebody knows!Type III: Facts Unknowable--because no
one does or can know them because they don’t exist or are contingent.
![Page 58: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/58.jpg)
SPRI 58
Examples & Lessons
!D-Day!Ticket Sales!The Left Hook/Hail Mary!The Bottom Line
![Page 59: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/59.jpg)
59
Part Two
Deception: what to think about
![Page 60: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/60.jpg)
SPRI 60
![Page 61: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/61.jpg)
SPRI 61
Contemporary Military View
" The profundity and exactness of the commander’s foresight in a battle directly
depends on a degree of creativity demonstrated by the sides and their use
of stratagems, camouflage and disinformation.
MGEN I. Vorobyov. Tactics as the Art of Command and Control in Military Thought, v
12 n 1, 2003, p 58. (English edition published by East View Publications, Minneapolis MN)
![Page 62: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/62.jpg)
SPRI 62
WW II Deciever’s View
"Provided the enemy has an efficient intelligence service, provided he is capable of reacting to what he sees, or thinks he sees, he can apparently be taken in again and again. Geoffrey Barkas. The Camouflage Story. London: Cassell and Company Ltd,1952, p 163.
![Page 63: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/63.jpg)
SPRI 63
Sherman on His March"“I must have alternates, else, being confined to one route, the enemy might so oppose that delay and want would trouble me, but, having alternates, I can take so eccentric a course that no general can guess at my objective. Therefore, when you hear I am off have lookouts at Morris Island, S.C., Ossabaw Sound, Ga., Pensacola and Mobile Bays. I will turn up somewhere.”
Maj Gen W.T. Sherman, 19 Oct 1864 letter to Maj Gen G.W. Halleck in Simpson & Berlin, Sherman’s Civil War: Selected Correspondence. London & Chapel Hill; U of North Carolina Press, 1999, p 736.
![Page 64: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/64.jpg)
SPRI 64
Sherman’s Alternates
![Page 65: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/65.jpg)
SPRI 65
What Do You Need to Know!Who is the target!What do you know and not know about him
Is he alert for deceptionHas he practiced deception
!What has his record beenre: deception--use, resultsre: successof his enterprise
!What do you need to know to present a credible story! If we go ahead on what path does that put us?
![Page 66: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/66.jpg)
SPRI 66
Hackers, Attackers, Intruders, Crooks, Thieves and Terrorists
!What do we know about them?!Some intruders are more threatening than
others. Can we sort them out?!Defense should be proportional to the threat.!Until we know enough to sort them along a
spectrum, we’re throwing mud at a wall.
![Page 67: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/67.jpg)
SPRI 67
Ethics
!Clean house first--major security problem is internal personnel, training and admin
!Is it OK to lie to liars?
!Responsibility
![Page 68: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/68.jpg)
SPRI 68
Lying
!Deception necessarily involves manipulation of the Truth
!Is that always lying?
!What justifies lying to the public?
![Page 69: Designing Deception Operations for Computer Network Defense · Deception: Ends vs. Means • Computer-security deception: – actions taken to deliberately mislead hackers and to](https://reader034.fdocuments.us/reader034/viewer/2022050100/5f3f96ded524b81d794eacfc/html5/thumbnails/69.jpg)
SPRI 69
Wanted: Real Damsel