Your Enterprise as Truth and Fiction

January 23, 2017
Cyber Threat Intelligence: Post by Kristin Heckman and Frank Stech

Deception might be a primary trick of cyber adversaries—to deceive users into clicking, to appear as a legitimate web site, and to masquerade as a known entity to elicit a response—but as cyber defenders, we can turn deception into an advantage. By deceiving an adversary and observing their actions we have the potential to uncover new tactics and true intentions, which in turn can better inform our own defenses. We could also plant misleading or false situations about the enterprise and its information to confuse and misdirect an adversary about the business mission. Using cyber denial and deception (D&D) as a strategy could advance an enterprise’s own cyber defense playbook.

Denial and deception have long been used in intelligence and military operations—think World War II’s Operation Fortitude to mislead the enemy about the Allies intent to land at Normandy—but its application to defensive cyber operations is finally going mainstream. By intentionally letting adversaries into a system or network, while maintaining intense scrutiny and control of their actions, attackers can unknowingly reveal useful intelligence.

Cyber D&D is based on classical denial and deception theory, psychology, decision theory, and systems engineering. Although there are no integrated solutions available yet, the concepts can be easily understood and applied. A good starting point in creating a comprehensive plan is the Cyber-Deception Chain, developed and validated by MITRE. This framework helps create a deception operations strategy specific to the enterprise and its adversaries. By equipping cyber defenders to successfully use D&D against cyber adversaries, an organization can advance its knowledge of the attackers to thwart ongoing attacks and be better prepared for the next attack.

We should note that planning cyber D&D is not an isolated activity by the cyber defense team. Rather, it must cut across the various business units to encompass an organization’s mission and business objectives, not just those of cyber defense. A seamless operation can produce viable results for defense but also for the business. Appointing a cyber D&D planner is key to realizing a comprehensive “story” for any operation. Consider these elements that are used to create the illusion of your enterprise and business:

Another aspect that goes in to creating an illusionary enterprise is applying what intelligence you have about your cyber adversaries so that they are not prematurely tipped off. This is where your cyber threat intelligence and SOC teams are essential in the deception planning cycle. These partners are also essential in the execution of any cyber D&D operation to help monitor and adjust the deception based on an adversary’s behavior.

Using cyber D&D is meant to affect an adversary’s situational awareness of the enterprise and the execution of their attack.  The observations they use to make decisions and act against an organization might be deceiving, thus buying defenders more than time—defenders might gain an advantage over the adversaries that they didn’t see coming.