Authors of New Cyber Denial & Deception Book Tell All! Or Do They?

April 2016
Topics: Cybersecurity, Computer Security, Information Systems, Information Security Operations
Is honesty the best policy? Not always. With cybersecurity, sometimes it's better to conceal fictions, reveal fictions, reveal facts, and conceal facts. A new book by MITRE cyber experts outlines how to use deception to deny hackers the access they seek.
Cyber team

In keeping with MITRE's knowledge-sharing mission as the operator of federally funded research and development centers (including the National Cybersecurity FFRDC), a group of our cyber experts have written, Cyber Denial, Deception, and Counter Deception: A Framework for Supporting Active Cyber Defense. The book's goal: help organizations think seriously about using deception as a strategic approach. We sat down with some of the authors—Kristin Heckman, Frank Stech, and Ben Schmoker—to discuss the book. (And in keeping with the spirit of the book, we're not identifying which author gave which comment.)

MITRE: What's Cyber Denial, Deception, and Counter Deception about? Why did you write it?

Authors: Denial and deception, or "D&D," is a classic element of tradecraft from the world of intelligence. D&D go together—you keep your enemies from finding what they're looking for, often through misdirection or by providing intentionally false information. This book explains what we call the "Cyber-Deception Chain," which is a flexible planning and execution framework for creating tactical, operational, or strategic deceptions in the cyber—as opposed to the physical—world.

We detail concepts for cyber-D&D planning operations and management within the larger organizational, business, and cyber-defense context. The book examines why it's necessary to have a comprehensive, active cyber-denial scheme, instead of a patchwork approach.

In our MITRE work, we couldn't find any existing cyber-denial and deception courseware or textbooks. We wanted to create foundational material for advanced students and professionals. We wanted to start the dialogue in this area. As it gets going, we want to broaden and deepen it.

MITRE: How did the book come about and who should read it?

A: The book resulted from years of research. Our team wanted to explore the art of the possible—to bridge the knowledge gap between cybersecurity and classical denial and deception theory. We began by noting good deception tradecraft in the open literature and looked at how we could apply it to the field of cybersecurity.

We could have stuck strictly to this course, but we felt the need to take what we knew from a variety of domains, carefully adapt it to this new virtual world, and do some deep systems engineering thinking about how all the pieces fit together. Along the way, we developed practical advice from our novel research and from other work at MITRE, academia, and private industry.

It’s a reference for cyber professionals, researchers, government employees, and advanced-level computer science students. It's not just for people working in cybersecurity operations centers—it's wider than that.

What is the current landscape of cyber-D&D? Who should be using cyber-D&D?

A: There is a lot of cyber research, some related to D&D, not yet integrated in active cyber defense programs.

We wanted to develop an interdisciplinary framework that built on the open literature in cybersecurity, classical D&D theory, psychology, decision theory, and systems engineering. Deception is common on the technical side of computer security—for example, create a "honeypot," which is a system that lures in and catches would-be hackers. But it’s not commonly used at an operational or strategic level, such as creating a fake program to achieve a specific deception goal.

We also saw a need for executive-level understanding of deception so they can see how cyber-D&D can help enterprises with persistent economic espionage and e-crime.

The book includes detailed case studies. Are these real-world case studies or were they conducted within MITRE?

A: One of the case studies is notional, but the STUXNET case study is real. As researchers, we used the open literature for our analysis of the worm and related methods. STUXNET clearly used D&D, and we pointed out the details we noted from the open literature.

There is a need for additional research, and our hope is that others in the research community will apply the D&D framework to new case studies.

What benefits and pitfalls should organizations and companies consider before employing cyber D&D?

A: As we describe in Chapter 6 of our book, an organization should be aware of the risks in employing defensive cyber-D&D. There are unintended effects and consequences, the potential for operational failure, and the possibility of compromise—exposure of your tactics or feedback channels.

We also outline a number of benefits, such as delaying an adversary’s operation, increasing their costs by potentially forcing investment in new tools, and increasing defender cyber intelligence. We also discuss the benefits of standardization and sharing cyber-threat intelligence and information within trusted organizations. Standardizing data increases their usability across the widest possible community of partners. Trusted sharing can result in “herd immunity”: enabling all partners to have a more complete and accurate situation awareness of the threat landscape. Just as trusted partners share cyber-threat intelligence, they can share cyber-D&D operational details.

How has MITRE contributed to the fight against cyber threats?

A: There are too many things to list! For example, MITRE has been involved for decades in developing both IT and cyber standards and information-sharing platforms. One of our most successful initiatives is the combination of Structured Threat Information eXpression, or STIX™ for short, and Trusted Automated eXchange of Indicator Information, also called TAXII™. Together, they allow organizations to share cyber threat information in a secure and automated manner. STIX and TAXII have become so well received they now available to the wider cyber community through an open standards organization.

Recently, MITRE published the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Matrix, listing post-exploit attacker techniques and the indicators defenders can use to detect them. We are adding cyber-D&D tactics and techniques to this matrix to prompt defenders to consider using deception against specific attacker methods.

Q: Can you describe any recent events where cyber-D&D and counter deception might have thwarted malicious activities?

A: Deception has been used to successfully fight e-crime for over a decade by numerous organizations, particularly in Europe. But that’s a difficult question to answer given that successful and unsuccessful D&D techniques should be kept private—to avoid revealing the actual tradecraft and methods to possible adversaries. Sharing tradecraft among trusted partners, of course, is another matter.

As successful intruders add D&D to their arsenal, the cyber defense community can counter by sifting for operational mistakes that point to the intruder’s true intent.

Our hope is that by analyzing the deceptive techniques of real intrusion groups, we can help inform future intrusion responses. We have just begun the conversation.

The 251-page book was written by Kristin F. Heckman, Frank J. Stech, Roshan K. Thomas, Ben Schmoker, and Alexander W. Tsow and published by Springer International Publishing. It's available for purchase through Amazon, Barnes & Noble, and other booksellers in both print and electronic formats.


Interested in MITRE's Work?

MITRE provides affordable, effective solutions that help the government meet its most complex challenges.
Explore Job Openings

Publication Search