Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Germans saw Hitler as an Aryan leader, not as an Austrian, in the same way that many in Iran see Mahmoud Ahmadinejad as a Muslim leader and not, as he was recently revealed to be, of Jewish heritage (per an article in the UK
Telegraph
by Damien McElroy and Ahmad Vahdat, published in 2009).
“Limitations to Human Information Processing”
Cognitive psychology is the study of internal mental processes, and is a key factor in understanding and explaining the two limitations to human information processing that are exploitable by deceptive techniques. Many in the deception business refer to these techniques as
conditioning
of the COG.
The “law of small numbers” is rather self-explanatory. It is very effective and very simple. The premise is that when one is presented with a small set of data, conclusions should be reserved. A single incident or two is no basis for building conclusions, and a decision should be delayed if at all possible. Additionally, a statistically significant data set requires a larger sample.
The second limitation of human information processing is fixed on the susceptibility to conditioning (the cumulative effect of incremental small changes). Small changes over time are less noticeable than an immediate, large-scale change. A man who lives on the side of a hill doesn’t notice how his land erodes from wash-off year to year, but take a snapshot and look at it at 25-year intervals, and he will notice something amazing: the land has receded, and many cubic yards have been removed from his yard!
We all know the story of the boy who cried wolf. In short, he called out false alarms to the village people so many times that they turned a deaf ear to him. The one time he really needed some backup, they ignored him because he had abused their trust so many times, and let’s just say things did not work out so well for the boy. His constant beckoning (stimuli) with no threat changed the status quo and adjusted the baseline of the data the villagers received. He created a whole new paradigm because his cries were perceived to be innocuous, and the alarm of “wolf!” was invalidated. What would he yell if he had encountered an actual wolf? How would they know? They did not much think that out, but they knew that when this boy cried “wolf,” it was no cause for alarm. The wolf then used this opportunity to attack because “wolf!” was invalidated.
“Multiple Forms of Surprise”
The US Army has an acronym for everything. One that is used for reconnaissance reporting is very effective in conveying the “Multiple Forms of Surprise” maxim: SALUTE. These letters stand for the following elements:
S
ize How many people?
A
ctivity What are they doing? How are they doing it?
L
ocation Where are they?
U
nit/Uniform What are the markings and distinctive unit insignia? What are they wearing?
T
ime When did you observe and for how long?
E
quipment What do they have: rifles, tanks, construction equipment…?
By remembering this acronym, a complete picture of the unit can be formed. What if the adversaries saw a different presentation from the same unit every time their scouts reported the activity? Would they be able to picture the true composition and intent of the unit? The more variance in these items, the better the chance of achieving a comprehensive deception.
“Jones’ Dilemma”
Deception is more difficult when uncontrolled information avenues and sources are available to the adversary’s COG, because it allows the adversary to access factual information and get a picture of the actual situation. When you control these avenues, you can also control the content, amount, and frequency of that data as needed, and the picture of the situation that you paint will become your adversary’s picture as well.
“Choice of Types of Deception“
Ambiguity-decreasing deceptions against adversaries are employed to reinforce the story and make the adversaries very certain, doubtless, and absolutely wrong in their conclusions. Ambiguity-increasing deceptions accomplish the opposite, making adversaries increasingly more doubtful and confused or uncertain by clouding their situational awareness.
“Husbanding of Deception Assets”
First appearance deceives many
.
—Ovid
Sometimes it is necessary to withhold the use of deception. There are situations where the delayed employment would have a greater effect and a broader range of success. An example in a cyber situation is where there has been scanning of systems (adversarial surveillance and reconnaissance), but no deception was employed. Now the adversary has a picture of what he is looking for and will return to exploit his success. This time, however, a deception technique is employed, and the adversary is caught off guard and loses the initiative. The defenders have withheld the deception to a greater advantage because they have fought at the time and place of their choosing.
“Sequencing Rule”
Deception activities should be put in a logical sequence and played out over a long period of time to maximize their effects and protect the true mission for as long as possible. A successful strategy will employ less risky elements of the deception early in the sequence, while holding and executing the more volatile ones later. As more risky elements are executed through displays, feints, and other methods, the deception planner will assess if the deception has been discovered, and in that case, it can be terminated. This leads to the next and all-important maxim.
“Importance of Feedback”
An Intelligence, Surveillance, and Reconnaissance (ISR) plan must be developed to obtain feedback. This is of the utmost importance and cannot be minimized under any circumstances. The chance of success of a deception is directly dependent on accurate and timely feedback to determine whether the deception is effective, and if countermeasures have been employed by the adversary to include the employment of counterdeception. Feedback allows for the freedom of movement to outmaneuver adversaries by staying one step ahead because you will be aware of their movements and intentions well in advance of any actual activities.
“Beware of Possible Unwanted Reactions”
Sometimes, a deception operation may spur an undesirable action from the COG, which could lead to undesirable actions by friendly forces. At times, all synchronized parts of a deception are played out in a perfect manner. However, the adversary may see the deception story and take actions that were not expected, catching friendly forces off guard, since the average soldier or leader on the ground had no idea there was ever a deception operation. The sensitivity of deceptions is such that they are highly compartmented, and access to them is guarded by strict “need-to-know” limits.
A second, and underanalyzed, troubling situation occurs when the planner assesses the consequences of success. These unwanted reactions are the result of a deception that causes the COG to take the actions we expect. The problem is that the actions we desire do not yield the results for which we initially assessed and planned. This could be a strategic and colossal blunder that actually inhibits the operation and has a negative impact on mission success. There is no recovery from this type of result, because the deception is already played out, and nothing remains to save the deception mission.
Careful planning and prudent analysis are paramount during the Course of Action development and war gaming to vet each possible response to the deception operation in order to minimize the consequences of success.
“Care in the Design of Planned Placement of Deceptive Material”
Folks, let’s not make it too obvious that we are conducting a deception operation. When there is a windfall of information, there is intense scrutiny of its validity. Security violations happen in some of the most unlikely environments, including those with ongoing and active security countermeasures.