All warfare is based on deception.

Written By Remy Coll

Whenever I describe ‘The Art of Cyber’ project to people they instantly jump to this pithy line from the Art of War.

So I thought I’d address it straight up as my first post so people would stop referencing it.

First let’s define deception. Deception is a process where you lay plans to convince an adversary (or civilian) of something. The denial of information is not deception. A smoke screen, or a high wall is not deception. The adversary cannot see through it, but it does not convince them of anything. Deception must have a specific target, a theme, an effect produced by the deception, a method to achieve the deception, and a measurement of success. If the deception does not have these elements then it is not deception.

The concept of cyber deception has been trotted out to me often, and very recently. The companies that peddle defensive cyber deception are capitalising on the ‘mysterious’ and ‘invisible’ perceptions of cyber operations, both defensive and offensive. Technical deception a concept that borrows from the more specialist field of signal intelligence. Signal intelligence gets conflated with cyber operations often. This in itself is a deception.

In my opinion: Modern defensive cyber deception is not worth it. It is a total red herring.

That might seem a tad inflammatory and I’m sure to get hacked by the deception technology paddlers imminently. I’ll explain myself and hope that my carefully considered and not at all rambling blog post will show them the error of their ways. Honestly, deception does have its place, it’s just very far down the list of controls businesses should be implementing. The current marketing output, and buzzword zeitgeist is not reflective of how mature an organisation needs to be to even think about employing deception.

My argument comes down to the functions of cyber security controls. To assist me I have the US National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The NIST CSF contains five functions which I will one day make into a children’s cartoon jingle:

Identify, ♪ Protect, ♬ Detect, ♩ Respond, aaaaaand ø Recover!

Each of these functions has a purpose, outcomes, and associated controls. Do any of them contain deception? lets find out.

Identify

Identify has a lot of underlying governance and risk management stuff going on in it. While I would love to tell you that governance and risk management is all just deception by incompetent middle management…

it isn’t. Or it isn’t supposed to be, let’s go with that.

The actual blurb for identify reads:

The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.”

The takeaway here (for this blog post) is that deception is not involved anywhere in identify. Moving on.

Protect

Now we’re into the realness. Protect gives us some technical controls and targets. Protect is summarised as:

“The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.”

Heres the thing about protecting critical business systems: it has to be ongoing. It is very rare to find a system owner, risk owner, or business owner who does not need their critical systems to work all the time. I have never encountered any business who has asked for their protecting security controls to only work between the hours of 8am and 5pm. A cyber deception plan may draw an adversary away, thus protecting the critical systems for a time, however the deception will eventually be uncovered and the adversary will return. Deception weakens the longer it is observed. No cyber deception could ever be considered protective because it does not last long enough.

Detect

“The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.”

Here is where deception could have a useful effect for a defender, however how useful for the cost of implementation?

With the exception of the noble honeypot, systems that effectively deceive attackers are few and far between. These systems (including the honeypot) are detection mechanisms themselves. So then they are deceptions whose purpose it is to uncover deceptions. If that is their only purpose then there are far better detection mechanisms available to a defender. The process of setting realistic deception in cyberspace is complicated and convoluted. Like any commander of an army on a battlefield, a cyberspace defender possesses an upper limit of resources to allocate to the fight. In manoeuvre warfare there is a concept called ‘economy of effort’. This concept is applied equally over to cyberspace operations. The defender who can achieve the same outcomes using less resources is optimising and therefore capable of consistently deepening their defensive position. For the effort it would take to make a persistent and effective cyber deception plan a defender can implement a swath of cheaper and well documented logging and detection controls.

Respond

“The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.”

Deception could assist with response, particularly if the response is automated and the organisation has a taste for a really edgy intelligence gain loss threshold. However like the purple mow-hawks of their emo teenage years, executives and business owners often think better of their taste for delivering active cyber intelligence. Especially when their systems are in the firing line. Once again, setting up an automated web of controls to track and contain an adversary that triggered detection by following a deception plan is the last and highest level of controls an organisation should be implementing. To achieve this the organisation must be so mature they are optimising and improving to the cutting edge of cyber resilience.

Recover

If someone can tell me how a deception plan will aid in a recovery after a cyber incident I am all ears. For completeness the description for recover is:

“The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.”

Parting words on deception

Look. If you want, pay a SaaS provider for a magic box of deception tools. But before you do that you need the monitoring tools in place, the SIEM, the people to watch the SIEM, your detection needs to be optimised, you need to have all of the NIST CSF and its underlying controls implemented. Otherwise you're wasting that money and effort. Cyber Deception should be the last thing on your mind noble defender.

Well what about Offensive Cyber?

I hear you say.

Yes. Offensive Operations are all about deception. It is the absolute damn ninja master of a l33t hacker that can install a remote access tool using process injection and keep the injected process running and doing what it is supposed to. I once saw lsass.exe get real mashed by Cobalt Strike. They got the RAT installed alright, but it brought down a DC, a file server, and a database. That was noticed real quick. So yea all offensive cyber is based on deception. But this isn’t a blog about offensive cyber so jog on.

Remy Coll https://theartofcyber.com.au
Previous

Bring war material with you from home, but forage on the enemy. Thus the army will have food enough for its needs.