A Systematic Approach to Cyber Deception (Part 1 of 4)

Author: Jym Cheong, Deputy Director Cyber Resilience Systems, ST Electronics (Info-Security) Pte Ltd

“Know the enemy, know yourself; your victory will never be endangered. Know the ground, know the weather; your victory will then be total” - SunTzu

Introduction

A Systematic Approach to Cyber Deception - This series is about:

Knowing ourselves, our enemy and plan in a way to conjure “grounds” & “weather” to our advantage.

This approach is adapted from a joint-paper by Mohammed H. Almeshekah and Eugene H. Spafford, published by Springer International Publishing Switzerland 2016.

I will share practical pointers through a series of questions in the context of Industry Internet-of-Things & Operational Technology networks.

What is Cyber Deception?

Cyber refers to Cyber-Physical Systems related to Industrial networks, such that impacts may result in Safety & Availability consequences. Deception is about faking it to achieve both early deterrence and warning, but also diversions (from real assets) for the undeterred. But how is it achieved?

It always involves two basic steps: hiding the real (dissimulation) and showing the false (simulation).

Considerations Specific to Industrial Networks

1. Safety Risks
2. Availability Risks
3. Realism to attackers
4. Secrecy

The first 3 Primary Considerations (or PCs in short), are self-explanatory. The 4th point depends on the overall objective. For the purpose of a HoneyNet to lure & collect intelligence, a lack of secrecy could ruin the entire effort. For the purpose of deterrence, secrecy may not be a PC, since attackers may back off knowing that it is a trap.

Phases of Cyber Deception Campaign

A campaign is divided into 3 phases: Planning > Implementation & Integration > Monitoring & Evaluating. We need to be mindful with the earlier considerations; Safety, Availability, Realism and - depending on strategic goal(s) – Secrecy, throughout the phases. A further break-down of the 3 Phases is as follows in Figure 1:

The first two considerations of Safety & Availability are related to step 6 of identifying risks & countermeasures. I will explain the remaining steps along the way. An astute reader may ask: Why bother with all these, aren’t there Deception 2.0 Commercial-Off-The-Shelf solutions? I will further explain how a combination of COTS together with custom deception, can deal with Advanced Threat Actors by exploiting inherent mental biases that they may hold.

Why combined? We must assume Advanced Threat Actors have the resources to figure out COTS Deception solutions and are getting into our networks through routes we least expect.

In the next part of this series, I will cover “How to plan & measure success”.

Follow Us

A Systematic Approach to Cyber Deception (Part 1 of 4)