The Art of Cyber War and Cyber Battle: Deception Operations
Updated: Dec 29, 2019
Deception is a key part of both physical and cyber battle strategies
"A Military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective."
- Sun Tzu from The Art of War
The Art of Cyber War and Cyber Battle is a blog series where I look at physical and cyber battle spaces in order to compare and discuss differences, similarities, strategies and other related topics. We will look at historical examples from physical warfare and use them to look at the cyber domain comparing or reviewing certain strategies and tactics to look at things from a different perspective. If you haven't read it here is the series introduction.
In the last installment we looked at the philosophy of formations. In this detailed post we will take a look at deception operations.
Deception is mentioned numerous times in the book The Art of War by Sun Tzu. The book is over a couple thousand years old which illustrates how the concept transcends time. Most notably it was heavily used at the strategic level during the 1940s in World War 2, so I'd like to talk about some historical examples from that time frame.
A lot of the deception concepts apply to the attack side of things, but I'll try and look at the blue side as well, including some technical mitigation methods. The concepts apply to both crime and conflict but I generally will not be discerning between the two.
The Fog sets in
The most commonly known aspect of deception is information intelligence. The 'Fog of War' is the name for unknown information to the commander. This can be from a situational awareness perspective to detailed information about the enemy composition. Intelligence is a key aspect to winning the battle, and its important to demystify the fog of war by static or dynamic means to gather the situational data to make informed decisions.
One of the distinct comparisons between both domains is identifying friend or foe, and also being able to attribute who is responsible. Typically if you see a military vehicle or uniform you'd be able to identify if it was a friend/foe and country of origin or things like that. Likewise, if you think about in the law enforcement or the investigative world, if someone sees someone committing a crime they'd likely be able to identify them from a lineup or be witness to the crime in court.
Things are much harder in cyberspace though. Attempting to correlate and identify the who and what can be difficult and sometimes takes years of in depth research and forensics. Two of the main reasons for this is the ability to hide one's identity online using various techniques, and also by using compromised computers an attacker can have other devices perform the dirty work to avoid being attributed with the malicious interaction.
When looking historically at things like crime there is always an ongoing theme of trying to get away with things, i.e. perpetrating the crime without being caught. For instance in my opinion crimes like identity and financial theft have increased since the conception of digital data, this could be because of the connected availability of networks but also because it is easier to remain anonymous and hide your identity online.
In the physical domain someone can grab and stop you which itself has a psychological effect, however with computers you can be behind a proxy server or a VPN purchased with a fake identity while spoofing your IP address and likely no one will ever catch you.
It's like when prank phone calls were the rage, people were not face to face so it was easy to just call someone and make a joke or talk smack, but then when caller ID arrived some of the anonymity disappeared and people would try and block their numbers, however eventually it kind of died off. Maybe due to the accuracy of caller ID or perhaps because it was easier to remain anonymous on this new thing called the internet.
Continuing, I'm sure you've heard about Distributed Denial of Service (DDoS) attacks as of recent being done against companies or infrastructure services. I feel these are a very real threat to the internet and organizations alike. Some methods of executing DDoS attacks involve deception by sending a certain type of protocol packets to a server with the source IP faked to appear like it was sent from the target.
The target device becomes overwhelmed from receiving a ton of traffic from the intermediary device who thinks the traffic is actually coming from the target. There would probably be thousands of compromised PCs (aka a botnet) sending the crafted packets, plus the controller of the botnet could be attempting to disguise their location when sending commands.
Consequently, it becomes difficult for the victim to locate the origin of the crafted packets without adequate intelligence (or even outside help). This is just one of the many examples of the fog of war on the internet.
What is your objective?
In war the commander ideally would want to deceive his opponent by doing something like concealing his forces movements or intentions. By hiding their intentions an attacker could strike where the defender is not adequately deployed. Moreover, the defender could make it appear like they are weak at a certain location to entice the enemy to attack there, but the defender is actually very strong there and able to wear down the offense to then counter-attack.
Either in a tactical (small, close in) or strategic scenario (wider scope, high level) deception can be used to achieve similar objectives using different means. A tactical example of concealment in the physical spectrum is vehicles laying down large smoke screens with special ammunition in an area. This would be so vehicles or troops could advance or withdraw without the enemy seeing and consequently able to accurately engage.
In the fifth domain attackers could generate large amounts of attack (or similar) traffic to fill up the logs of the defender (or a device's hardware buffers) in order to attempt to cover the one surgical intrusion executed towards an application server. The objectives remain the same in either of these dynamic situations in that you want to confuse your opponent and attempt to obscure your movements and intentions.
Maybe your objective is disinformation. Like in certain scenarios you may want to influence the opposition to take certain actions that would be advantageous to you. This could be things like having him log into a certain page ("your password has been compromised please reset it by typing in your old password") or having them plug in an infected USB stick.
Alternatively instead of keeping things hidden, there are times when you could want something not to be hidden in order to convince your target into thinking something specific. For instance you have setup a honeypot in the DMZ that has some sort of login page, you'd want the intruder to see the login to perhaps attempt a specific attack like a SQL injection. Likely only a human would execute an SQL injection not a bot as it takes some logic. This would be something good to know if it's a person or a bot that has navigated into the edge of your network and stumbled onto the special page.
By having them interact with something you've revealed, you could collect more detailed information to help with attribution/fingerprinting, which is a key objective in gathering threat intelligence and evaporating the fog of war.
Below we can see some objectives between both domains.
Deception Objective Examples:
Do not allow the attacker to gain understanding of your network or network defense
Do not allow anyone to discover your presence or geographic location
Discover the actual attacker without their knowledge (e.g. true location or IP)
Gain access while hiding your existence whenever possible
Exfiltrate data using covert channels when possible
Associate and Attribute the action to the true attacker
Trick your target into giving up key information such as incident response techniques or account credentials
If possible execute your attack without directly engaging your target
Trick your opponent into thinking your intention is something else
Keep friendly forces movements hidden from the enemy
Do not allow your main point of attack to be known
Do not allow the deployment of your defensive forces to be recognized
Entice the enemy to attack or move their units to a certain location
Deny opposition's eyes and ears wherever possible (both electronic and actual)
Lure your competitor to focus their defense on a different location than which you intend to strike
Hide forward and rearward logistical supply lines (in conjunction with obj. 1)
In either situation, maintaining general operational security (who, what, when, where) is always key when you are attempting to disguise something especially when looking at strategy. The use of visual, audible, physical, and planted information should be considered when planning for these operations.
For intelligence and visibility, the goal is always to have the most accurate information possible in addition to having more information than that of your foe. Lastly, do not allow the adversary to discover your deception operation. Otherwise they might create a counter-deception to trick you!
The Feint can be used in both offensive and defensive situations.The idea is to commit a portion of your forces in a certain area to entice the adversary to move themselves to an area that would allow you have a more advantageous attack vector.
Offensive feints are when you attack an area with only a small number of units but attempt to make it seem like you are fully committed to that area; however, you are actually planning to fully commit to attack another place where the enemy is now weak because you have drawn them out with your feint.
Defensive feints are when you fake a retreat or stage a partial withdraw to invite the enemy forces forward to a certain zone in order to surprise them; or like in the offensive scenario entice them to reposition in order to mount an effective counter-attack.
An example of a large strategic feint which combined different components was during the 1940 World War 2 Campaign of the invasion of France. The Axis force consisting of mainly Germans planned to invade Western Europe thereby facing the Allies composing of the United Kingdom and French forces. Both sides anticipated the invasion would come eventually due to the recent aggression in the theater. However what the Allies thought the Germans would do and what they actually were planning to do were drastically different.
For the most part the southern half of the French border was composed of the Defensive line known as the Maginot Line which deterred anyone from thinking of invading in the sector. The terrain to the north in Belgium and the Netherlands was very flat and open which was ideal for fast moving assault units. Between both of these areas was the thick Ardennes forest which was largely seen as impassable for a large mechanized army.
The Allies assumed the fully committed attack would come North in the lowlands just like in World War 1 roughly 25 years earlier. So they positioned the bulk of their forces there ready to move into Belgium and Holland to intercept the Germans when they crossed the border - thinking they were relatively safe to the south with the Ardennes and Maginot line.
The Axis commanders assumed this is what the Allies were thinking as the traditional doctrine of the time was still linearly thinking in nature. Thus what they did was position some of their units to the North but then secretly located the majority of their armored units in the Ardennes where the Allies least expected it. When the attack finally came first in Belgium the Axis began capturing bridges and moving some of their armor forward to make it seem like that was where they intended to move the majority of their forces.
Then as the Axis commanders anticipated, the UK and French troops moved into Belgium which meant that when the heavy tanks broke through the Ardennes to the South and swung North, almost the entirety of the Allied army was surrounded. Eventually the two attacks converged at Dunkirk which drove the Allies out of France.
There were 2 principles of deception used here in my opinion, one was to reinforce what the competitor was already thinking and the other was to maintain secrecy to be able to attack where it was least expected.
To me from a Blue team perspective you generally assume it's safe on the edge of your network with a Firewall so you likely focus on something else, but that doesn't mean you can't lose sight of those edge areas. Just because you think you will be attacked on your public facing web servers doesn't mean the opposing forces won't try and run some script that will exploit the newest CVE you haven't heard of for your remote access appliance or firewall (looking at you ASA).
The red team will always be probing to find weaknesses, but don't think that once they find one they will immediately exploit it (maybe it's a whitehat who will disclose it?). What I would think is that they would either wait in hiding not making you aware they knew about it, or perhaps utilize feint-like tactics to divert your attention there instead. Remember to think like the adversary knows how you will likely react to the situation because they might try coerce you into a certain mentality, so always pause for a moment to attempt to parse through the intelligence you have to determine the best course of action.
Although in the digital realm almost everything is under an onslaught and exploited once found to be vulnerable, there are are likely certain things that the attacker wants. Although it is difficult to know as most organization have many different types of valuable data spread over many servers and networks.
Hence an example of a digital feint could be to attack xyz organization's website for years appearing to be a sort of political hacktivist group trying to hijack it. The goal would be to draw the defender there thinking that is the actual priority persistent threat - spending countless hours and revenue to remediate it. However it would merely be a diversionary tactic while you are really maneuvering to compromise a VIP to pivot and steal intellectual property. This could be in real-time simultaneously, or over time in a drawn out campaign.
Another case might be during the exploitation phase you could pentest an internal server to set off alarms as a diversion to then execute a breach on your actual target data.
Strategic Deception continued
In 1944 the allies of the western nations were preparing to invade Axis occupied France from the United Kingdom over the English Channel (Widely known as D-Day). Everyone at the time knew there would be an attack in two possible places - the Normandy Beaches or at the port of Calais. In perpetration for the attack, the allies performed one of the biggest deception operations in history code named 'Operation Fortitude'.
One of the things the Allies anticipated was the Germans expected the invasion at Calais partly because it was shortest distance to cross the English Channel. The Allies evaluation was that the common German attack doctrine of the time dictated aggressive speed and short distances to achieve surprise and superiority - just like in 1940. Therefore the Allies created a fake Army group to appear like there was a lot of activity in England near the area of Calais in order to reinforce what that Axis were already thinking. However the Allies actually intended to invade at the Normandy Beaches.
The Allies created bogus radio communications which the Axis forces intercepted in addition to the false reports sent by double spy agents. Large inflatable tanks, boats, and planes were deployed widely to deceive enemy aerial photography as well. Furthermore, the Americans assigned a famous General George Patton to command the fictitious Army group. By the Axis taking in all the false intelligence being fed to them, the Allies were accomplishing their disinformation plan.
Strategically the overall objective of the Allied command was to keep the German high command convinced the attack would not be to the south at Normandy so they would keep their elite armored units geographically located North near Calais. Then when the invasion did come, it would take a longer amount of time for the Axis to move those units to counter-attack thereby providing a higher probability the D-Day operation would succeed.
The deception even continued during and after the invasion with dummy parachutes and metal particles called chaf dropped in the air to confuse the Germans and draw them to different locals. This was while the real airborne paratroopers landed behind the beaches. The deception was so good that even a few days after the assault began the Axis commanders thought Normandy was an actual deception and Calais was still the primary point of attack.
Operation Fortitude ended up being a success as we all know. The invasion was successful and ended up bringing about the end of the conflict in Europe in 1945.
Now I don't think we have seen something at the scale of Op. Fortitude in the last 20 years since the rise of the digital age. Although some might argue that statement with the recent election information operations - but we can leave that for another discussion. Nevertheless for the commanders in World War 2 there was a sense of urgency with regards to the amount of time for preparation. But in contrast in the cyber domain Advanced Persistent Threats (APT) enjoy the luxury of taking their time and sometimes developing strategies and exploiting their target over years.
We know that evasion techniques that are commonly used like masquerading as an internal trusted host work because of the long length of time malicious entities are within target networks before detection. A user's credentials could be compromised so it appears to be valid when they login or perhaps the hacker is fragmenting or crafting packets to better disguise the traffic from an IPS.
Strategically from the security side you want to ensure you are aware of the highest threats that will be targeting your organization, how they can (or already are) attacking you, and what will be the best approaches to detect their presence and eventually respond to such threat actors. Also knowing what your most valuable assets are that need to be defended is important from a high level context.
Think of developing threat response plans and practicing them to handle different scenarios that could arise in the future, what will (or how will you) identify the malicious user? What steps and actions will be taken? by who? Where are you main information sources? How easily can the data be manipulated or denied from you?
As far as visibility the opposing force will always attempt to hide themselves from exposure and subvert your situational awareness. This can be covert protocol channels to mask the data being sent outbound or by taking core devices offline to put your operations team into firefighting mode. Try to avoid tunnel vision in the later situation.
Some questions to ask would be - Does your firewall perform application inspection for UDP traffic? or is your IDS capable of detecting attacks being hidden with fragmentation? These are two common ways an attacker remains undetected inside the network. The reason application inspection is good is for when data is attempting to be exfiltrated over something like DNS or other covert protocol channels. The firewall will block the traffic knowing it is not a normal DNS request. However this will generally not work for encrypted traffic.
Therefore the more information you can absorb like IDS logs, 3rd party threat intel sources, internal behavioral analysis tools, net flow, and wireless stats - the better. Also consider your team's ability to decipher the information for detection and response - consider ingestion tools like Splunk.
From an investment perspective the creation of proprietary tools or harnessing 3rd party services is generally a good thing to review for this space. Its important to ensure leadership is aligned with the financial and strategic requirements necessary to gather intelligence to make informed decisions. For when a breach or incident happens knowing that deception exists and will be used against you is an important .
Strategically on the attack side, when building a bot net there are number of services out there that have monitoring devices placed all over the internet in order to collect data on things such as: command control activity, new malware, new exploits, devices participating in botnets, and what types of devices the automation tools are looking to compromise (e.g. IoT, soho routers, databases).
These services can be a good thing to subscribe to if you are a defender, but also consider them in your deception plan when in the build up phase. One of the main deception objectives is to avoid detection, so consider the importance of which methodology you will be using to build your forces in order to avoid detection by some of these services.
IP Spoofing and Countermeasures
For global strategy I think there needs to be a comprehensive defense initiative to deploy mechanisms to better mitigate the prevalence of cyber identity spoofing. I know many will say "but there is VPNs and such" but that doesn't mean the basic safeguards shouldn't be in place by enterprises and providers alike.
If you think about a zombie receiving orders to attack a target by having spoofed source addresses, if the majority of service and hosting providers had anti-spoofing countermeasures in place, a number of the DDoS attacks seen would not be as powerful. Although to their credit ISPs have gotten better about notifying users of compromised devices participating in malicious activity for remediation.
Unicast reverse path forwarding (uRPF) is an easy piece of configuration that can be implemented on the inside of the network to prevent sources addresses that do not exist within the network from leaving. There are a few different ways to do it, but essentially when a packet arrives and uRPF 'strict mode' is enabled on the interface, the interface performs a look up and ensures the source IP exists in the routing table and that the received interface is the preferred path to it - if it is not the traffic will be dropped.
There is also a method to deploy uRPF in multi-homed environments called 'loose mode' which is a bit more flexible. Loose mode just performs a basic FIB lookup so it will probably allow even spoofed source IPs because the subnets probably exist in the routing table (think full table edge router). But there is a design that utilizes uRPF loose mode in combination with BGP triggered updates to defend from DDoS attempts. This is called remote BGP triggered black holing and is fairly scalable and easy to configure since it utilizes BGP route propagation. I will include a link in the conclusion that covers this.
Some guides suggest placing uRPF close to the inside edge but it largely depends on your network topology in my opinion. I think for provider networks it could likely be placed close to the access layer on the first layer 3 gateway since this is typically single homed or uses a port-channel. Another option is to have an access control list (ACL) on your inside (egress) interfaces with a number of your or customer assigned IP prefixes like /16s to loosely filter outbound traffic by source. This would mean if a spoofed IP was leaving your network and the IP didn't exist inside your domain it would be dropped. I have read there could be issues with mobile IP when implementing these schemes in service providers, but likely it can be overcome.
Obviously in networks where the customer picks their own IP addressing or large spine-leaf clouds this can be a challenge. But think if the majority of compromised devices participating in DDoS sieges and cyber crimes are IoT or consumer related, then this technique when utilized by a significant number of providers could reduce the problem.
For enterprises to support this initiative they could utilize their firewalls for malicious IP filtering. New next-generation firewalls generally have the capability to obtain malicious IP lists automatically from the vendor. It would be good to block these as some traffic is likely related to command and control which can help prevent compromised PCs on your trusted and guest networks from participating in botnets (and from being compromised in the first place). Some legacy firewalls do not have the capability though so it would be a manual process drawing from mailing lists and such.
Tactical Deception - Ambushes and Honey Pots
Earlier I mentioned a lot about hiding your location and movements. Ambush is a basic method of tactical deception which involves this. It usually involves small numbers of units employing cover and concealment in order to attack their opponent using surprise.
The ambushing troops will use the terrain like the reverse slope of a hill, forests, bushes and river beds to remain undetected until the target comes into the ambush zone to be attacked.
When talking about maneuvering an army sometimes you will hear about the area being "ideal for ambush and thus should be avoided". This leads me to refer back to one of the key objectives in that sometimes its necessary to take steps to try and draw the opposition into the zone that is most opportunistic for you.
As a blue team guardian you can utilize Honey Pots or servers using special software to fake out a person or bot in order to gather intelligence. It will usually have some services enabled so it appears inviting to the would be intruder. The goal of the honey pot is to gather and report information like what type of attack is being executed against it and who is performing it beyond what a traditional device would give you. From there you can pursue follow up actions like prosecution.
A low interaction honey pot might just have a service like SSH running to entice a connection. A high interaction pot could appear to be like a full on wordpress website or a mongo database to encourage further in depth communications. More data can be obtained from higher interaction deployments but they are harder to setup.
One reason you'd want an internally placed honey pot is to try and detect pen testing on the internal network which could indicate an unauthorized infiltrator. A key aspect of reconnaissance is scanning either by protocol service ports or by ICMP ping etc. to find a victim device. Therefore, honey pots could be utilized to assist in internal network visibility. Take a case of something like you only scan at 6:00am on Tuesday and you detect multiple attempts on the fake IIS or HTTP service at 9:00am on Wednesday.
The problem with the honey pots is often the red team can see that something isn't right like the service isn't behaving normal or "why would every service be open on this device?" It's and important factor when planning your deployment and choosing software.
A classical well-known ambush was the victory of Hannibal over the Romans at Lake Trasimene. At the time the Carthaginians were being pursued by the Romans all over the place until they arrived near Lake Trasimene. Hannibal assessed the topography and found it suitable for an ambush.
From the context of traveling down the road, near the lake there were embankments on either side with a thick forest to the left and the lake to the right. During the night as the Carthaginians moved through the pass they silently hid a large number of troops in the forest. Then at night they lit a large number of camp fires and setup shelters to make it seem like the entirety of the army was there.
In the morning the Romans were lured in using the previous night's activities to give them a false sense of security. There was a low fog along the road which helped with concealment of the ambushing troops. As the entire Roman force entered the ambush zone Hannibal sprung his trap from the rear, front, and side while the Romans were still marching. This battle ended with a major victory for the Carthaginians.
What I like about this story is the use of the camp fires to entice the Romans to move down the road thinking the entire enemy army was farther ahead than it really was. Honey pots were the first thing that came to my mind. As I read the story I was reminded of the fog of war by the actual fog during the morning of the battle.
"In order to catch a big fish, you have to let the fish taste your bait."
-General Peng Dehuai (Korean War)
From my research I did learn of offensive uses for honey pots too. Because only using source IP address for attribution is not the best solution, as they are likely spoofed, the ability to gather more information is difficult. One tactic that was used is to have a malicious file for the attacker to download on the honey pot; moreover, another way was having triggered scripts on a web page if they attempt to exploit it or interact with it.
Once the attacker cracks into the honey pot you want them to believe they are actually accessing something that is of value so they download the loaded file. What one researcher did was have trace routes and other activities execute on the hacker's computer to send out the data secretly. By doing this he was able to ascertain actual IP address, username, OS version and other things. Using the info combined with a little recon and in some cases he was able to get real attribution of who had accessed the honey pot and from the true geographical location.
Certainly this would probably be unlawful for most organizations to perform, but for those in the business of conducting cyber battle, this would be a valid ambush method in my opinion. (disclaimer: this is not an encouragement to use this tactic)
You can see why research and development in this area is important because this is a valuable tool in the defender's arsenal. Honey pots assist with detecting the attacker without their knowledge which was one of the objectives listed for the cyber domain.
Finally there are a number of 3rd parties who have a large number of honey pots on the internet in order to gather threat intelligence which would be a good data point to ingest.
Think about it a bit
Moving on, trust is a very important concept in society, this is no different than in the digital world. When we receive an e-mail or go to a website, we trust that it is the entity we think it is, so we click this link and download that file, login with our credentials and all is well. Nevertheless people are curious creatures and we always find some excuse to send the prince of Nigeria $200 in gift cards. This is why identity spoofing is a key approach used to gain the advantage.
The attacker has many tools at his disposal from general IP address spoofing to a variety of Man-in-the-middle (MITM) techniques like ARP-poisoning, fabricated websites, and wireless SSID impersonation. For instance Black Arch is a pen testing linux distro with a variety of spoofing tools. Although some take well developed skills there are some that can be executed on most LAN networks fairly easily without the knowledge of the victim.
The defender has developed a variety of tools and an entire system to combat false identification called PKI or Public Key infrastructure which is used all over the internet (beyond the scope of this post).
As an IT professional implementing best practices is recommended to help reduce deceptive tactics used by the opposition. Secure protocols typically have a form of proof of identity, so always use some form of authentication or validation to try to mitigate deceit.
Common best Practices:
Use HTTPS everywhere with TLS1.2 and disable legacy SSL. Support and prefer secure Cipher suites, disable HTTPS compression, use strong encryption when signing etc.
Use Secure DNS or DNSSEC to ensure domain name requests are secure.
Implement Sender Policy Framework(SPF) and DKIM and why not DMARC after that to help prevent e-mail spoofing.
Additionally: 2 Factor authentication, posture assessments, and trusted platform modules are good things to think about. Any form of hardening your devices is also good, as the offense will attempt to hijack them and utilize them to disguise foe as friend.
Operation Micemeat aka "The man who never was" was an operation in World War 2 executed by the British against the Axis powers. They created a fictitious identify for a deceased John Doe making him appear to be an Army Captain while planting fake information on him. Even going so far as to put personal effects like pictures and movie tickets, things any normal person would have.
The main piece of intel was a letter between two generals to make it appear like the Allies would invade Greece and not Sicily (Sicily was the assumed attack location). The Allies dropped the body off the coast of Spain assuming the Spanish government would share the information with the Axis. Once the Captains belongings were returned the British knew the information had been tampered with.
This made me think about something like intentionally putting some information on a USB disk or intentionally leaking fake credentials in a phishing e-mail targeted at your division. Then have the information lead to a honey pot or have the fake credential account only have access to certain areas of the network with honey pots. I think this would be a good information gathering operation and an exercise in counter-deception possibly.
In law enforcement the concept of a sting operation is a common deception where an officer will pose undercover in order to trick the target into committing a crime. Suddenly like a ambush the officers will emerge and arrest the subject.
The story of the Trojan Horse is one of deception as well. This is where the Greeks tactically outplayed the Trojans by performing a fake withdrawal while leaving a large wooden horse with troops inside of it in front of the city walls. The Trojans brought the fabricated gift inside but then after nightfall the Greek troops emerged from the horse inside the city and opened the gates for the then returned army.
In this post we discussed a few different types of deception operations and their historical counter parts from larger strategic examples to intimate tactical scenarios. One of the main objectives was concealing intentions and movements. A common theme was the attacker trying to remain undetected while the defense is attempting to detect them. Visibility is important for the defender and you need to be sure your strategy includes some investment in it - because if not the Fog of War will envelope your awareness.
We looked at Feints and Ambushes and how the attacker and defender can use them in either tactical or strategic scenarios to achieve victory. Although there are differences between the physical and cyber domains we can see the philosophy does crossover with different methods used for similar objectives.
Be careful in carrying out a deception because if it is detected the opposition will likely change their plans or develop a counter-strategy themselves. They could be influencing you to believe they are falling for your plan when in reality they are becoming the hunter. Recognize the allocation of your resources and understand this could be a trick that is attempting to move your focus elsewhere.
Also consider the thought process of the opposing force, what do you think they will do? What does the competitor think you will do? That should help you in deciding what information you want them to see. People are inherently predisposed to certain patterns of thinking. For instance the offense typically wants to travel through easiest means, they want maximum exploitation with minimal effort. Whereas the defense wants to protect everything and anticipate what the attacker will do. Although most of the time each of them are reacting to everything that is happening in front of them - this is where the Fog of War can be deceiving.
I briefly mentioned some best practices for source identity validation, protection from evasion techniques, and the need for anti-spoofing mechanisms like unicast reverse path forwarding to prevent types of indirect attack.
Finally, there are many more aspects to this form of operations than what I mentioned here, but I hope this helped get the creative juices flowing as always.
I'd like to leave a quick quote of my own for the closing statement -
Deceive the opponent in your capabilities to discourage them from attacking. Deceive the defender in order to stretch their resources, never revealing your true target, then you can attack where you choose.
MANRS is an organization which is attempting to lead the way to help protect the internet by implementing anti-spoofing, filtering, and route validation among other items. Here is a link to some useful information: https://www.manrs.org/isps/guide/antispoofing/
Would you like to know more?
Honey pot lecture Black Hat 2015
Bad Packets (one of the honey pot services I talked about)
Further reading on uRPF (this shows the BGP triggered black holing with uRPF)
Do you prefer the long format I used here, or a shorter format with content spread out? Leave a comment or send me a message and let me know.
#cybersecurity #defense #dataconservation #history #cyberwarfare