Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Another drawback in operating unfettered on your own network or on your company network is management. In many ways, an organization’s real problem is understanding the situation. Most people think that the problem is the problem; however most managers, through a lack of technical or leadership skills, cannot even define the problem. This leads to a schism between frontline workers and management addressing the problem. Now that we understand what the real problem is, we must then understand and accept that management is ill-equipped to design a functional solution to the problem.
Much may be said and done, even before the first solution is out of the gate. This may work well in some environments; however, with deception, there is an inherent danger in portraying the wrong information. Facts are facts, and they do not change. If a deception story is played out, it may be received by the COG (target of the deception) in one way or another. How the COG receives the message, how it is interpreted, and how it is perceived play a huge role in what the next step will be. Perception may change what a piece of information means to the deception target, but it will not change the information itself.
Deception is about psychology, not technology. Of course, technology is an enabling capability, as are numerous other vehicles, but the real answer comes from the deception theme: the message you want brought forward and the actions you want the adversary to take. No special technology is needed to influence a person’s decision-making process. Deception is also cultural, as are all types of information operations. This is a concept that Deborah Plunkett (Director of the IAD at the National Security Agency), the private sector, and governments around the world are not grasping. Hacker groups can be great at technical exploits, and many are. They also are very good at the psychological aspect: the rich Nigerian banker who needs help in cashing in a fortune, a dying child suffering from a rare case of cancer, and countless others that have made their rounds in inboxes around the world. These appeal to the human side and entrap the recipient with a strong urge to know what it is all about.
Additionally, private industry is great at getting people to pay for things they can get for free. Many people are overwhelmed, intimidated, lack the technical skills, or are just too lazy to research possible solutions on their own. They are more than happy to rely on a third party to tell them what they need or don’t need to solve the problems they may or may not have. In these cases, different companies will happily collect as much of your capital as you will part with to do something most people could do on their own. Few are good at operational deception because it goes beyond our everyday little white lies and self-preservation comments of half-truths, incomplete truths, and facts of omission.
The computer security industry is in dire need of a true leader—not a CEO or federal figurehead, but someone who can stand up and knock the ball out of the park. Operational deception is an art, and as such, must weather the scientific storm of analysis, scrutiny, and exposure to achieve its goal.
Simple is best. There is no need to create an elaborate story when a simple one will do. You do not want a very complicated story that the target and everyone who has his ear (conduits) can misunderstand, and then perhaps act in a way detrimental to your situation. Besides, when people are faced with a complicated situation or problem, they simplify it in order to understand it. If you create a complex deception message, it will just get translated into a simplified version and reassembled later on.
Here’s a game you might remember. As children, we played a game where a message initiated from a note was to be verbally passed on from person to person. We had roughly ten children, so the story was told and retold time and time again. When everyone told the story, we all turned to the last person to receive the message. This unlucky child had to recite the message in front of everyone. Unfortunately for him, the message did not resemble the initial message in any way, shape, or form. How did that happen? How bad would it be if your deception message needed to go through five or six people to get to the COG? How much worse if you had developed a complex story! Your intentions may not be realized by the deception target because the target may never hear what you are really saying.
Tall Tale 1
Bob liked Alice. Alice knew it, but no one else at Network Unconventional Threat, Inc. (NUTS, Inc.) knew about the office romance. They had worked for several months on closing a deal that had the potential of landing them big promotions and a life on easy street. The Security of Utopian Practitioners (SOUP) Corporation from Nagasaki, Japan, a partner of NUTS, Inc., was very impressed with their effort and extended them a warm welcome when they arrived at SOUP Corporation headquarters to finalize the proposal. The two companies had worked on a proprietary project on improved widget technology and its effect on clean coal. They took every security precaution possible, including working on the proposal on a closed network with two-person authentication for login. Both companies in cooperation created an active OPSEC program, and used their corporate offices of security to help with countersurveillance and other threats to the program.
Very few people knew of the program details, let alone its existence. Key components to the technology were protected even further. The very formulas that calculated widget thermodynamics were considered critical to the success of the program. Although NUTS executives were comfortable with their colleagues from Japan, they did not want to lose their intellectual property; to do so could cause financial ruin.
Bob and Alice’s contact at SOUP Corp was an up-and-coming junior executive named Adolf Hirohito. Adolf was a bright man with a very promising future at SOUP Corp. His keen wit and sharp mind made him the most dreaded man in the corporation, because if there were a shortfall in your program, he would find it.
Adolf, Bob, and Alice had spent many hours together over the course of the past six months. They had worked long hours many late nights. As the minutes ticked away, they worked harder and harder to complete the requirements of a very complex proposal. With the time difference between Nagasaki and Atlanta, the three engaged in many late night and early morning teleconferences. Even then, they took every precaution and ensured their video teleconferences were point-to-point and encrypted. They took no chances in an environment where other corporations would jump at the opportunity to scoop up their misplaced or unsecure misfortunes and turn them into their success.
Bob and Alice spent the entire 15-hour trip from Atlanta to Nagasaki together with their laptop, which contained their precious information. They felt sluggish but overall pretty good when they arrived and were greeted by their friend, Adolf. Back in Atlanta, the project had been a success, and NUTS executives were very excited about the proposal. Tomorrow was the big day for Adolf and his executive board at SOUP. As the three finished a late afternoon rehearsal, they all eventually agreed that they would meet for an early dinner because they were first up in the morning. None of them wanted anything to go wrong at the meeting. Dinner was great. They all shared a common favorite of Lebanese cuisine and had a couple of drinks. Then Bob and Alice went back to their hotel, and Adolf went home for the night.
It seemed like the sun rose too early the next morning for Bob and Alice. They scurried to get dressed and quickly moved downstairs for breakfast. Today was going to be a great day, Bob could tell. As he and Alice sat to start their breakfast, Bob was alarmed when he noticed that neither he nor Alice had brought down their laptop. In the early morning shuffle, they had simply forgotten to grab it. He told Alice, and the two headed back up to retrieve their computer with their golden nuggets of information. When they arrived, they both sat down and immediately checked for tampering. Noticing none, they opened the case and turned on the computer. Needing two-person authentication was not a problem since they both had access. As they brought up the screen, they noticed nothing out of the ordinary, and they quickly shut it down after they agreed no one had accessed the information it contained.
This time, with their computer in hand, they went back downstairs and finished eating their breakfast. A bit unnerved that their laptop had been left in the room for ten minutes without them, they pressed on and finished. They packed the rest of their belongings, and headed off to SOUP to meet Adolf and get set up for the presentation.
As they arrived at SOUP, they were met at the gate by a guard. Showing their ID and giving the name of their point-of-contact, Adolf Hirihito, always ensured speedy processing through the normally weary process of gaining facility access. This time, however, they were met with a refusal. The guard did not acknowledge them on the access list that day. Frantically, they tried to call Adolf, but to no avail. He was unreachable. They dialed until the batteries on their phones nearly died, and they were left with no recourse but to return to Atlanta. Their flight, only a couple of hours away now, and an unhappy phone call were the only things between them and almost certain dismissal from the firm.
The flight seemed twice as long as the 15-hour flight from Atlanta and much less jovial. Bob and Alice lamented about the events of the day and were very confused about what had actually happened. NUTS would need to rectify or pull out of the proposal with SOUP. Concurrently, inside the SOUP executive boardroom, corporate leadership was getting treated to the latest market innovation in widget technology. The team prepared the rest of their proposal. Without NUTS, the team would be able to complete the proposal alone and keep 100 percent of the profits. The team members were fixated on how completely they had acquired key information from the NUTS representatives. Having Alice on their side was truly the key, and they were prepared to reward her well.
When they arrived back in Atlanta at NUTS headquarters, Bob and Alice were whisked away to the CEO’s office to explain what happened in Japan. As they entered, all in the room were witness to a news release from the president of SOUP stating that his company was preparing a unilateral proposal because of conflict or some other problem with NUTS. Bob didn’t listen.
Thankfully, the NUTS CEO decided that all was not lost, but swift action was needed. After a stern session with Bob and Alice, the CEO called in the Director of Security for a chat. It seemed that the information security posture of the company was such that the CEO and CIO authorized a deception program to bolster the overall protection of NUTS information. The company did this through a simple technology. The CEO called for Bob and Alice again to give statements to the Director of Security, but Alice was gone. She was nowhere to be found. CCTV revealed that she left right after the meeting with the CEO. Bob was dumbfounded.
As the interview went on, the security team found out that, although Bob and Alice had different passwords for their two-person authentication, Alice had socially engineered Bob’s out of him by establishing a close relationship with him. Once she was close, he let down his guard. He would look away when she entered her password, but when he entered his, she did not. All it took was for Bob to walk away to the bathroom for a minute, and she could get all the data she wanted from the laptop. One thumb drive was all she needed to copy the files with the critical formulas—the priceless nuggets of information that were her objective. The critical technology that was key to the success of the proposal now resided with the SOUP Corporation.
The SOUP Corporation operated on a closed network, as did NUTS. There was no way to get the technology back. The NUTS CEO did not want it back; he wanted a
coup de grace
. And within the next day, he got it. He had developed a good OPSEC plan, but an even better deception plan. Alice did not steal the files with the critical information; it just appeared that way to her. The security settings of the computer would not allow downloads of any kind, and any attempt to download files would have grave consequences for the user.
Back in SOUP’s corporate headquarters, the CEO and his executives were preparing for their final rehearsal before they submitted their proposal for improved widget technology. They thanked Alice again for her fine work and began to extol her. It was a strange scene in the boardroom when, as Alice was receiving such a grand reception, the screen with all the information from NUTS went blank. The computer crashed, and then the other computers on the network started malfunctioning in the same manner. Finally, the SOUP server farm with the company’s most critical information crashed, leaving SOUP executives questioning why they had not gotten the offsite backups as they had discussed the previous week. Alice wondered what was to become of her, deceived by the unwitting Bob who was planted with the story a long time ago. Not only was the file not the real information containing the data she sought, it turned out that the “critical information” that NUTS executives talked about was not so critical after all.