Cyber Deception — The Art of Camouflage, Stealth and Misdirection
Dave McMahon · Clairvoyance Cyber Corp. · Posted: June 29, 2021
Cyber deception has been practiced for decades and electronic deception for a century. While, deception has been central to warfare for millennia. Cyber deception is established as best practice to the extent that it is mandated in policy and standards is supported in domestic and international law. Furthermore, cyber deception is critical to intelligence collection, adversarial management to actively defend, disrupt deter and deter, or creating effects on one’s opponent. A military can employ deception in a decisive engagement then disappear, re-spawn and maneuver within the domain. It is a principal concept of warfare. Any enterprise that has not fully operationalized cyber deception is strategically disadvantaged against pacing threats and foes.
Pacing threats. The asymmetric nature of cyber technology, places sophisticated offensive cyber capabilities in the hands of most nations and non-state actors. Industrial capability is becoming weaponized. Russia and China are competing aggressively against Canada in the cyber and cognitive domains. Foreign militaries have overrun networks of importance to Canada, purposefully interfered critical infrastructure, attempted to influence and subverted the democratic process. Canada’s adversaries are well practiced in mis-direction and deception in the domain. Western doctrine best follow suit.
Resilience is important but has focused on hardened static defences. Sometimes it is best not to be in the line-of-fire even if you think you are bulletproof.
There is a huge benefit to the use of deception in the defence of our digital battle space. Cyber deception in defence is likely to lead to the most interesting development of cyber combat effort and activity.
Deception has been central calculus of warfare, diplomacy, business and sport since beginning of recorded history. Electronic deception was used to great effect since WW1 and cyber deception for the past 40 years. The cyber deception technology market is currently estimated to grow to $12 Billion by 2022. Global cyber threat intelligence services use deception infrastructures to: collect malware and fingerprint the Tactics, Techniques and Procedures (TTP) of Advanced Persistent Threats (APT). Deception technology has also proven the most effective means of detecting zero-day exploits. Thus, cyber deception has been established as best practice for cyber security for quite some time.
“All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him.” ― Sun tzu, The Art of War
Joint Doctrine for Military Deception says that “military deception is applicable at each level-of-war and across the range of military operations including cyber. It is defined as being those actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions and operations, thereby causing the adversary to take specific actions that will contribute to the accomplishment of the friendly mission.”
The Canadian Forces Information Warfare Conceptual Framework developed by LCdr Robert Garigue, Ph.D., in 1994, as deputy commander of the Canadian Forces Information Operations Group (CFIOG), prophesised of semantic warfare and cyber deception in-depth.
The Interdepartmental Committee on Information Warfare was established in 1994. Here, operational concepts and national policy for Canada was drafted for proactive defence, cyber psychological operations and deception. The Treasury Board Secretariat built upon these concepts in the 2009 Canadian Proactive Cyber Security Strategy.
The United Kingdom established its first research unit focused solely on cyber deception in November 2019, reflecting growing awareness of the importance of deception in this domain. The National Cyber Deception Laboratory (NCDL) is administered by Cranfield University on behalf of the UK MoD and is based at the Ministry of Defence’s Cyber School, at the UK Defence Academy.
Deception is a hallmark of military and intelligence operations. - UK Cyber deception lab
NATO Best Practices in Computer Network Defence, published in 2014, re-enforced the need for cyber deception, forward-deployed intelligence collection and active defence. The Tallinn Manual International Law Cyber Warfare (Rule 61 – Ruses) permits cyber deception operations during both war and peace as an effective means of defence.
Russian military doctrine Maskirovka (disguise) covers a broad range of measures for military deception, from camouflage, concealment, imitation, manipulation, decoys, disinformation across all domains, and particularly cyber were Maskirovka is most effective. A goal of military deception is surprise (vnezapnost) so the two are naturally practiced together. Russia has a history of operating with a more complete (hybrid) inclusion of elements of military power and influence than countries like Canada. [Cyber deception] enables Russia’s First Offset against the West that gives Russia new leverage on the battlefield.
One would naturally expect the army, navy and air force camouflage platforms from detection across the electromagnetic (EM) spectrum - from visible light, to radio waves.  We don't paint army vehicles bright orange. So why do some paint vital cyber infrastructures so obviously? So, why is there reluctance, in some quarters, to use deception as a defensive strategy?
All military campaigns require stealth and deception. Cyber is no difference.
The cost of a deception capability is substantively lower than the price imposed upon the adversary or the impact of a breach on one’s own systems, without the early detection afforded by deception technology. This is particularly true for unstable attack surface and sophisticated attacker – where security management is most challenging. Moreover, deception activities often result in the exposure of the adversary’s most-sensitive tradecraft and tools.
CONCEALMENT AND MISDIRECTION
The Communication Security Establishment (CSE) has provided explicit cyber security guidance to departments on the matter of cyber deception, concealment and misdirection.
Similarly the UK National Cyber Deception Lab advises “Network defenders should take a proactive approach by using military deception tradecraft to effectively defend against and manipulate the activities of attackers operating within their networks. Cyber deception offered a significant asymmetric advantage to the network defender, because they own the terrain and adversaries lack the defenders’ situational awareness.”
CYBER DECEPTION TECHNOLOGY
The efficacy of deception for defence in the cyber domain is well-established, with modern commercial services focused on detecting adversaries and collecting intelligence on their activities. Cyber deception for cyber security in three verticals: for detecting adversaries, eliciting intelligence and for adversary management.
Deception technology is an established category of cyber security and defence. These systems can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, highly accurate, and provide unique insight into malicious activity of sophisticated actors, where conventional defence systems fail. Deception technology enables a more proactive security posture by seeking to deceive, detect and defeat threat actors before they can attack.
Cyber deception is industry standard.
CYBER DECEPTION SOLUTIONS
The following are examples of successful cyber deception solutions in wide use and acceptance:
- Content Delivery Networks (CDN)
- Virtualization and Cloud
- Organizational cloaking
- Moving Target Defence (MTD)
- Dark Space
- Tar pits
- Change processing / Storage
- Misleading Information
- Feed material
- False flagging
- Concealment of system components
- Black Holing
- Sink holing
- Conflict networks
- Circumvention Network
- Counter Censorship
- Packer staining
- Recursive DNS Protection
- Flowspec BGP
- Triggered content
- Beaconing detection
- Cyber threat intelligence
- Deception technology when integrated with threat hunting, memory and malware analysis
OFFENSIVE CYBER DECEPTION
Deceive, Detect, Disrupt and Deter
Canada’s adversaries are adept at offensive cyber deception. We see daily evidence of cyber psychological operations, misinformation, influence and social engineering campaigns against Canadian’s and institutions by foreign intelligence services and militaries. Principally amongst these tactics is social engineering.
Social engineering uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Deception relies heavily on the six principles of influence: reciprocity, commitment and consistency, social proof, authority, liking, scarcity.
All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases, These biases, sometimes called "bugs in the human wetware,” are exploited in various combinations. Phishing tactic has proven to be most effective. Other means of deception can take the form of:
- Trojan horse
- Man in the Middle Attacks
- Poisoning of domain name servers
- false flag.
- Impersonation and fraud
- Meaconing navigational signals
- Deliberate disruption, interference or jamming
LAW, ETHICS AND RISK
The following are principal observations and findings with respect to legal use of active cyber deception in the Canadian context:
- Cyber Deception Technologies have been operating for half-a-century without court challenges.
- There is no express prohibition for cyber deception, domestically or internationally. Neither is there exclusivity to any parties or agencies.
- An organization not only has the authority to conduct cyber deception, threat hunting, attribution, forensics and active cyber defence to protect their networks and assure the mission, they are explicit obligated to do so in official security guidance, standards or regulations
The common straw-man argument against deception technologies is to raise the remote possibility that a deception technology (like a honeypot) could be compromised and be used as a launching platform to attack third parties.
Firstly, the argument is not unique to a deception network. The 3rd party liability argument applies to all networks, computers or mobile devices. The difference is that deception networks are much more carefully monitored and controlled than your average network. For example, many deception nets are engineered to throttle outbound traffic and prevent attacks. Secondly, they are designed to catch threat activity early, and hence are far more vigilant and secure than a conventional network. Thirdly, there are no established trust relationships or shared credentials between a deception net and regular users, thus preventing an attacker from moving laterally. Fourthly, deception systems do not necessarily handle Sensitive information, Personal Identifiable Information (PII) or Private Communications and have low false positive rate (demonstrating that only threat actors attempt to communicate with the system) hence that are no security or privacy concerns. Finally, cyber deception also does not constitute fraud or entrapment under any legal interpretation. Research has not found case law or civil liability involving cyber deception.
There is negligible legal risk associated with the use of deception technologies, but there is liability to public and private organizations not actively defending their networks. An organization is highly-exposed to both compromise and liability should they not comply with best practices or standards, which shall include cyber deception.
Re-shaping people’s risk perception is important, so that they are willing to explore the art-of-the-possible with cyber deception solutions.
We have established that there is no prohibition on the use of cyber deception activities. To the contrary, it can be successful argued that cyber deception controls are mandatory given that they are well established as best practices and explicitly written into standards. They also make good business sense because cyber deception lowers threat risk and liability, while offering the best Return-on-Investment (ROI) for cyber defence. Moreover, cyber deception and intelligence are found to be very closely coupled.
For full discussion paper visit: http://linkedin.com/in/cyberspacestrategist
EXAMPLES OF SUCCESSFUL CYBER DECEPTION OPERATIONS
- Analysis of Dark Space for Predictive Indicators of Cyber Threat Activity
- Combating Robot Networks and their
- Shadows in the Cloud
- APT1 Exposing One of China’s Cyber Espionage Units
- Operation Aurora
- Cyber State of Readiness in Canada’s Critical Infrastructures Attribution
- Fingerprinting of Advanced Persistent Threats
- McAfee, Night Dragon investigation
Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.
Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence. Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.
 LCDR Garigue was the military representative and Co-Chair. Other members included CSE, CSIS, PCO, DFAIT, RCMP, DOJ
 A number of Canadian representatives co-authored the book
 Maskirovka: From Russia, With Deception by By COL JB Vowell Brookings Institution.