The Role of Deceptionin CND & IO
Dr. Stilianos VidalisInformation Security Research Group
J133 – School of ComputingUniversity of Glamorgan
0044 (0)1443 [email protected]
Pro-logos
At the beginning there was light… …then the cosmos… …then all the species… …and finally there was WAR!!!
Threat Assessment
A threat assessment is a statement of threats that are related to vulnerabilities, an organisation’s assets, and threat agents, and also a statement of the believed capabilities that those threat agents possess.
Threat = f (Motivation, Capability, Opportunity, Impact)
Motivation Motivation is the degree to which a threat agent
is prepared to implement a threat. The motivational factors are the elements that
drive a threat agent to consider attacking a computer system: political, secular, personal gain, religious, revenge, power, terrorism, and curiosity
Q: Can we deceive Them in believing that they do not want to target us?
Capability Capability is the degree to which a threat
agent is able to implement a threat: The availability of a number of tools and
techniques to implement an attack, and the ability to use the tools and techniques correctly.
The availability of education and training to support the correct use of various tools and techniques.
The level of resource that a threat agent has, or can acquire over a certain time.
Q: Can we deceive Them in believing
that they are not able to target us?
Opportunity
The easiest of the 3 to manage? Opportunity can be defined as a favourable
occasion for action. Past:
make sure that threat agents will be in no position of creating or exploiting opportunities.
Present: Risk is not managed by as but by the threat agents,
so concentrate on Motivation
Threat Agents? The term threat agent is used to denote an
individual or group that can manifest a threat.
Hackers are good people!!! . . . .
Threat Agent Categories
Threat AgentsThreat Agents
Non-Target Specific
Non-Target Specific
Contractors
Staff
Worms
Bacteria
Viruses
Trojans
Logic Bombs
Trapdoors
Natural DisastersNatural
DisastersESAESATerroristsTerrorists Organized
CrimeOrganized
Crime
CorporationCorporationNation StatesNation States
EmployeesEmployees
Fatria (national)
Gangs (city)
Gangs (blocks)
Competitors
Partners
Maintenance Staff
Cleaners
Operations Staff
Guards
Anarchists
Religious
Political
Fatria (international)
Governments
Religious Followers
Extremists
General Public
Vandals
Activists
Enthusiasts
Media
Political parties FireFloodLightningVerminWind
Sand
FrostEarthquake
Why do we analyse Them? It is a game, the aim: achieve information
superiority We need to understand what motivates them We need to know of their technical and
educational capability We need to know how they think
Security has to be proactive and not reactive
How do we analyse Them?
We start by identifying them: Threat agent catalogue Historical threat agent data Environmental reports Knowledge of personnel Stakeholder List
How do we analyse Them?
Vulnerabilities
Threat Agents
Motivation
Opportunity
Capability
How do we analyse Them? Capability: capability metrics available on
request Opportunity:
Access to Information Changing Technologies Target Vulnerability Target profile Public Perception
Motivation
InfoSec Requirements “…the activities to protect hardware, software
and intangible information at the hardware and software levels” (E. Waltz)
Information has three abstractions: data, information & knowledge
When threat agents acquire knowledge then they are able to launch active attacks with high probability of success.
Q: How do we ensure information superiority?
IO TaxonomyIO Layer Function NETWAR
Offence
Perceptual Manage perception, Disrupt decision processes
PSYOPS, Deception
Information Dominate information infrastructure NETOPS
Physical Break things…, Incapacitate/kill people Physical destruction
Defence
Perceptual Protect perceptions and decision-making processes
Intelligence, Counterintelligence
Information Protect information infrastructure INFOSEC
Physical Protect operations, protect people OPSEC
What do we do!!! Could we possibly deceive threat agents? Through deception we can manage our
adversary’s perception and disrupt his decision-making processes.
The outcome can be twofold: either the defenders have time to react and deploy
the necessary countermeasures (or finely tune the existing ones),
or the threat agent will call off the attack and return to the information gathering process in order to re-examine his plan of action.
Is there a limit? Facts:
Infrastructures follow a certain logic which allows threat agents to easily enumerate them
Administrators introduce vulnerabilities to their system in order to make their lives easier
The users of a system are its biggest vulnerability
Argument: Can we use deception techniques on our own
users?
Security through Deception “Actions executed to deliberately mislead adversary
military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions that will contribute to the accomplishment of the friendly mission”
Deception can be used in two ways for ensuring security: Simulating – showing the false, drawing attention away from
the real Dissimulating – hiding the real, producing confusion about
what is real
Technical Solution
G4DS – system that brings enterprises together in virtual communities in order to identify and monitor threat agents
Virtual Honeypots – system that takes input from G4DS in order to perform near real-time threat agent deception
Deception Methodology Everything should be dedicated to the
execution of the deception Intelligence must be brought fully into the
picture Intelligence must be assessed Secrecy must be enforced The deception plan must be designed at the
top levels Full implementation & consistency of all
elements of deception Deception must be continuous
Epi-logos Need to move reference point from risk
assessment to threat assessment Need to be able to identify and monitor threat
agents Hackers are good people!!!
G4DS – system that brings enterprises together in virtual communities in order to identify and monitor threat agents
Virtual Honeypots – system that takes input from G4DS in order to perform near real-time threat agent deception
Questions?
Top Related