Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Deception is about manipulating the behavior of another to the benefit of oneself without the permission of the other. We undertake to do it on the assumption that the other—who we call the adversary—would not cooperate if he knew what we intended and the consequences. One does not deceive out of idle curiosity, because deception always has consequences. (It’s the consequences, after all, that the deception exists to bring about.) By definition, the consequences of deception are intended to injure the adversary.
Of course, self-deception is a different thing altogether, and is a subject for psychologists, although an approach to a deception might be to encourage an adversary’s self-deception. How easily we slip into the hall of mirrors. Let that be the first caution to would-be deceivers.
There are a seemingly infinite number of ways that one human has been able to manipulate another’s behavior.
The Real Purpose of Deception
What deception is and what its purpose is are separate questions, just as intelligence is not simply information—it is gathered, processed, and distributed for a purpose. Deception is about manipulating behavior of an adversary
for a reason—
that is, to advance some defined end.
Barring accident or a deliberate violation of rules, one can gain unauthorized access to protected information only by appearing to be an authorized recipient—to deceive. Deception is the unauthorized agent’s method of access.
4
Deception is fundamental to hacking. But what was the purpose of the deception? “To get access to the network,” you say. Yes, but there is a deeper, preexisting, and subsequent purpose, such as to increase order and predictability in competitive situations but to the benefit of only one side—the deceiver’s side. Implied is the deceiver’s intent and ability to exploit this relationship. What point is there to manipulating a competitor if there is no intent or ability to benefit by doing so?
Some discussions of deception deal with the adversary’s beliefs. They assert that the objective of deception is to make the adversary certain of his understanding of a situation, but wrong. We would argue that the adversary’s belief is nearly irrelevant. What matters is that he does what the deceiver desires him to do. It is then merely a question of whether the deceiver has been competent enough to ensure his ability to take advantage of the situation he has brought about.
Why not simply take what one wanted—steal it, seize it, or grab it? In the military context, why not conquer, occupy, or destroy? Why bother going to the trouble of dreaming up schemes that may fail or be subverted?
There are many reasons. Here are a few:
It is not always possible to obtain information by directly asking for it without compromising the intent behind the request.
One may not know how to get at what one wants.
One may not be strong or smart enough.
One may be deterred by political, legal, ethical, or social considerations.
The object of deception is to control, to the deceiver’s advantage, the behavior of an adversary.
The threat of deception adds an element of deterrence to other defenses.
Deception may facilitate intelligence gathering, which may then be used to improve defenses and as input to future deception plans.
Deflecting an adversary causes him to spend his time and resources harmlessly.
But, if the matter is sufficiently important and the goal is sufficiently desirable, an attacker may choose to be undeterred. What then? This is not the place to discuss tactics. Yet, as the manipulation of others’ behavior is the core of this book, we will make a suggestion: Go to an Internet search engine and search for “reflexive control.” You will find much to think about, especially in a report by Vladimir and Victorina Lefebvre, titled “Reflexive Control: The Soviet Concept of Influencing an Adversary’s Decision Making Process” (SAI-84-024-FSRC-E, Science Applications, Inc., Englewood, CO, 1984). You could also do an Internet search for “Vladimir Lefebvre.” Following the links is an interesting and educational journey.
Reflexive control is a concept under which one controls events by sequencing one’s own behavior to induce responses and to create incentives for the adversary to behave as one wishes. This indirect approach proceeds from that one thing over which the deceiver has sure control: his own behavior.