Deception emerges as game-changing tactic in cyber offense, defense

When an attack occurs, consider whether it might be a diversionary move

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Mis­di­rec­tion has always been a facet of both offen­sive and active defense cyber­se­cu­ri­ty oper­a­tions, but one that is increas­ing in inter­est and use these days.

Using decoy con­trols and tac­tics in active­ly defend­ing a com­pa­ny is part of a well-coor­di­nat­ed cyber strat­e­gy and holis­tic cyber­se­cu­ri­ty pro­gram. On the oth­er side of the coin, decep­tion in an offen­sive mode also can be part of the trade­craft of nation-states and cyber crim­i­nals, too.

Why dis­cuss these aspects now? With the world’s cyber­se­cu­ri­ty pro­fes­sion­als focused on respond­ing to ran­somware attacks, chas­ing the next worm, patch­ing servers, or run­ning after users click­ing on phish­ing emails that change their Google Dri­ve set­tings, one must ask the ques­tion: Are at least some of these attacks cov­er for or dis­trac­tions for more nefar­i­ous cyber attacks?

Relat­ed arti­cle: Petya sig­ni­fies arrival of more sophis­ti­cat­ed malware

If the Not­Petya out­break was tru­ly meant to derive prof­it from ran­somware pay­ments, then it is unlike­ly to achieve its full objective.

Was mis­di­rec­tion the goal?

If, how­ev­er, the Not­Petya out­break was meant to fur­ther probe com­pa­nies that have not patched the SMB vul­ner­a­bil­i­ty and/or exploit these sys­tems with a tar­get­ed zero-day attack and slide in under the radar, then the art of mis­di­rec­tion may have been achieved.

Much like past data breach­es that have used a DDoS attack to over­whelm and dis­tract the company’s resources, get­ting teams of cyber­se­cu­ri­ty pro­fes­sion­als to run around in response to the night­ly news is one poten­tial strat­e­gy that might work.

Mil­i­tary model

It is not only attack­ers that use these tech­niques though. Mil­i­taries around the world have used decep­tion and mis­di­rec­tion on the bat­tle­field to influ­ence, con­fuse, lie to, or cause spe­cif­ic reac­tions from their adversary.

Elec­tron­ic war­fare com­mands have fought mis­di­rec­tion cam­paigns for many decades and in cyber space as well. Whether it is blind­ing an enemy’s radar and over­whelm­ing the radar tech­ni­cian with too many tar­gets or send­ing up false sor­ties that look like they are going to attack via a dif­fer­ent route, these cam­paigns deceive the ene­my and pre­oc­cu­py their time.

Sim­i­lar­ly, decep­tion tech­niques in cyber space have con­tin­ued to grow and become more preva­lent today based on recent advances in the scale of the cloud, automa­tion, behav­ioral ana­lyt­ics, and the abil­i­ty to oper­a­tional­ize such pro­grams through exter­nal ven­dors and tools.

Use becom­ing widespread

Much has changed from the days of the sim­ple hon­ey­pot to the sophis­ti­ca­tion of entire false envi­ron­ments designed to serve as a trap or decoy for an adver­sary to latch onto. Much of the trade­craft that was used in the intel­li­gence and mil­i­tary doc­trine is becom­ing avail­able for com­pa­nies to deploy to watch their net­works from an active defense mode.

As we watch events unfold, we must be vig­i­lant in ask­ing the addi­tion­al ques­tion: Can this be an attack that is meant to deceive or mis­di­rect atten­tion from nor­mal oper­a­tional aware­ness? If so, we might want to ensure we are main­tain­ing vig­i­lance in all areas.

More sto­ries about new attack tactics:
Ran­somware attacks are a fact of life, so real-time detec­tion, response is critical
With cyber threats the new nor­mal, orga­ni­za­tions must put NIST best prac­tices into play
Ran­somware ram­page takes aim at busi­ness targets