Deception emerges as game-changing tactic in cyber offense, defense
When an attack occurs, consider whether it might be a diversionary move
By Chris Pierson, Special to ThirdCertainty
Misdirection has always been a facet of both offensive and active defense cybersecurity operations, but one that is increasing in interest and use these days.
Using decoy controls and tactics in actively defending a company is part of a well-coordinated cyber strategy and holistic cybersecurity program. On the other side of the coin, deception in an offensive mode also can be part of the tradecraft of nation-states and cyber criminals, too.
Why discuss these aspects now? With the world’s cybersecurity professionals focused on responding to ransomware attacks, chasing the next worm, patching servers, or running after users clicking on phishing emails that change their Google Drive settings, one must ask the question: Are at least some of these attacks cover for or distractions for more nefarious cyber attacks?
Related article: Petya signifies arrival of more sophisticated malware
If the NotPetya outbreak was truly meant to derive profit from ransomware payments, then it is unlikely to achieve its full objective.
Was misdirection the goal?
If, however, the NotPetya outbreak was meant to further probe companies that have not patched the SMB vulnerability and/or exploit these systems with a targeted zero-day attack and slide in under the radar, then the art of misdirection may have been achieved.
Much like past data breaches that have used a DDoS attack to overwhelm and distract the company’s resources, getting teams of cybersecurity professionals to run around in response to the nightly news is one potential strategy that might work.
It is not only attackers that use these techniques though. Militaries around the world have used deception and misdirection on the battlefield to influence, confuse, lie to, or cause specific reactions from their adversary.
Electronic warfare commands have fought misdirection campaigns for many decades and in cyber space as well. Whether it is blinding an enemy’s radar and overwhelming the radar technician with too many targets or sending up false sorties that look like they are going to attack via a different route, these campaigns deceive the enemy and preoccupy their time.
Similarly, deception techniques in cyber space have continued to grow and become more prevalent today based on recent advances in the scale of the cloud, automation, behavioral analytics, and the ability to operationalize such programs through external vendors and tools.
Use becoming widespread
Much has changed from the days of the simple honeypot to the sophistication of entire false environments designed to serve as a trap or decoy for an adversary to latch onto. Much of the tradecraft that was used in the intelligence and military doctrine is becoming available for companies to deploy to watch their networks from an active defense mode.
As we watch events unfold, we must be vigilant in asking the additional question: Can this be an attack that is meant to deceive or misdirect attention from normal operational awareness? If so, we might want to ensure we are maintaining vigilance in all areas.
More stories about new attack tactics:
Ransomware attacks are a fact of life, so real-time detection, response is critical
With cyber threats the new normal, organizations must put NIST best practices into play
Ransomware rampage takes aim at business targets