A Systematic Approach to Cyber Deception (Part 1 of 4)


This series is about

Knowing ourselves, our enemy & plan in a way to conjure "grounds" & "weather" to our advantage.

This approach is adapted from a joint-paper by Mohammed H. Almeshekah and Eugene H. Spafford, published by Springer International Publishing Switzerland 2016. I will share practical pointers through a series of questions in the context of Industry Internet-of-Things & Operational Technology networks.

What is Cyber Deception?

Cyber refers to Cyber-Physical Systems related to Industrial networks, such that impacts may result to Safety & Availability consequences. Deception is about faking it to achieve both early warning & deterrence but also diversions (from real assets) for the undeterred. But how is that achieved?

It always involves two basic steps, hiding the real (dissimulation) and showing the false (simulation).

Considerations Specific to Industrial Networks

  1. Safety Risks
  2. Availability Risks
  3. Realism to attackers
  4. Secrecy

The first 3 Primary Considerations (or PCs in short), are self explanatory. The 4th point depends on the overall objective. For the purpose of honeynet to lure & collect intelligence, a lack of secrecy could ruin the entire effort. For the purpose of deterrence, secrecy may not be a PC since attackers may back off knowing that it is a trap.

Phases of Cyber Deception Campaign

A campaign is divided into 3 phases: Planning > Implementation & Integration > Monitoring & Evaluating. We need to be mindful with the earlier considerations; Safety, Availability, Realism & depending on strategic goal(s), Secrecy throughout the phases:

A further break-down of the 3 Phases is as follow:


Figure 1

The 1st two considerations of Safety & Availability are related to step 6 of identifying risks & countermeasures. I will explain the remaining steps along the way. An astute reader may ask: Why bother with all these, isn't there Deception 2.0 Commercial-Off-The-Shelf solutions?

I will further explain how a combination of COTS together with custom deception to deal with Advanced Threat Actors by exploiting inherent mental biases that they may hold.

Why combined? We must assume Advanced Threat Actors to have the resources to figure out COTS Deception solutions & getting into our networks through routes we least expect.

In the next part of this series , I will cover How to plan & measure success?.

No Comments Yet