Ben Schmoker

Denial and Deception in Cyber Defense

As attack techniques evolve, cybersystems must also evolve to provide the best continuous defense. Leveraging classical denial and deception techniques to understand the specifics of adversary attacks enables an organization to build an active, threat-based cyber defense. The Web extra at https://youtu.be/9g_HLNXiLto is a video that describes how in January 2012, MITRE performed a real-time, red team/blue team cyber-wargame experiment that presented the opportunity to blend cyber-warfare with traditional mission planning and execution, including denial and deception tradecraft.

Cyber-D&D Lifecycle Management

Like any other capability to be introduced into an organization, cyber-D&D must be carefully coordinated and managed to achieve the desired results. Figure 9.1 shows the most significant facets of lifecycle management.

Intrusions, Deception, and Campaigns

Cyber intrusions consist of cyber attack campaigns, composed of cyber kill chains, which include various cyber attacks, composed of multiple attacks steps. The defender aiming to defeat such cyber intrusions, or reduce their impacts, can use cyber D&D against the attacker. Our analysis reveals opportunities for cyber-D&D at each phase of this cyber intrusion model. In this chapter we examine cyber-D&D options for the various phases of the cyber kill chain, and propose a model for planning, preparing, and executing active defense cyber-D&D operations. The chapter concludes with an examination of how to advance mission goals across intrusion campaigns by developing deception campaigns.Cyber intrusion tactics and strategies have advanced considerably over the last two decades. Analysts have drawn on empirical observations to formulate high-level models of cyber intrusions. The four-tiered pyramidal model of intrusions in Fig. 3.1 depicts various granularities of abstractions in such models.

Cyber-D&D Case Studies

To highlight the benefits and challenges associated with cyber-D&D and explore aspects of operational implementation, we present two case studies: one based on accounts of the Stuxnet intrusion that damaged Iran’s uranium enrichment facilities and the other a notional depiction of an espionage-motivated intrusion. The Stuxnet cyber-sabotage case showcases extensive use of offensive cyber-D&D at the technique, tactical, operational, and strategic levels. The fictional case study illustrates how elements of cyber-D&D can be used defensively against APT attempts at cyber espionage.

Bridging the Classical D&D and Cyber Security Domains

This chapter uses a traditional framework called the D&D methods matrix as a foundation for describing the basics of D&D in the physical world, extends the D&D matrix to cyber security, and then outlines a set of techniques for applying D&D in the cyber security context. These descriptions can be combined with the cyber-D&D TTP taxonomy in Appendix A to guide understanding of how D&D is used in the cyber domain. We examine the organizational requirements for planning and executing successful defensive cyber-D&D operations, introducing both physical and virtual D&D tactics relevant to each quadrant of the D&D methods matrix.

Exercising Cyber-D&D

This chapter examines the components necessary to conduct operational Red/Blue team exercises that incorporate cyber-D&D. As an example, we describe a research experiment referred to as SLX II in which Blue network defense personnel used cyber-D&D against a Red threat actor. This experiment demonstrated the value of adding D&D TTPs to traditional CND and the importance of cyber intelligence. The inclusion of D&D TTPs led to the successful neutralization of the attacker’s compromise of the defender’s operational planning communications.

Countering Denial and Deception

In this chapter we explore cyber-counterdeception (cyber-CD), what it is, how it works, and how to incorporate it into cyber defenses. We review existing theories and techniques of counterdeception and adapt them for usage by cyber defenders in conjunction with their deception chains and deception campaigns. In so doing we present a cyber-CD process model, then apply it to the Mandiant APT1 case. Our goal is to suggest how cyber defenders can use cyber-CD, in conjunction with defensive cyber-D&D campaigns, to detect and counter cyber attackers.

Capability Maturity Model

As cyber-D&D becomes a well-recognized, mainstream technique in cyber defense operations, a capability maturity model (CMM) can enable organizations to assess their readiness to conduct cyber-D&D operations. The systematic framework provided by a CMM enables organizations to implement a strategic cyber-D&D capability, assess the maturity of that capability over time, and estimate the capabilities of cyber adversaries.

Considerations, Adaptation, and Sharing

Adaptability and agility are essential in planning, preparing, and executing deception operations. Deception planners must be prepared to respond so that they can still achieve their goals even when it seems that everything is going wrong. This chapter brings together considerations for the cyber-D&D planner, covering the realities of utilizing cyber-D&D. Applying cyber-D&D poses risk and has the potential for unintended consequences. Cyber-D&D operations can be compromised, and even the best-laid plans can fail. Although the defender can gain advantages by using D&D in each phase of the kill chain, utilizing cyber-D&D TTPs always involves challenges and potential drawbacks. We review some of these to inform and encourage cyber-D&D cadres to explore these considerations early in the planning phases of cyber-D&D operations.