Frank J. Stech

Denial and Deception in Cyber Defense

As attack techniques evolve, cybersystems must also evolve to provide the best continuous defense. Leveraging classical denial and deception techniques to understand the specifics of adversary attacks enables an organization to build an active, threat-based cyber defense. The Web extra at https://youtu.be/9g_HLNXiLto is a video that describes how in January 2012, MITRE performed a real-time, red team/blue team cyber-wargame experiment that presented the opportunity to blend cyber-warfare with traditional mission planning and execution, including denial and deception tradecraft.

Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense

This chapter outlines a concept for integrating cyber denial and deception (cyber-D&D) tools, tactics, techniques, and procedures (TTTPs) into an adversary modeling system to support active cyber defenses (ACD) for critical enterprise networks. We describe a vision for cyber-D&D and outline a general concept of operation for the use of D&D TTTPs in ACD. We define the key elements necessary for integrating cyber-D&D into an adversary modeling system. One such recently developed system, the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™) Adversary Model is being enhanced by adding cyber-D&D TTTPs that defenders might use to detect and mitigate attacker tactics, techniques, and procedures (TTPs). We describe general D&D types and tactics, and relate these to a relatively new concept, the cyber-deception chain. We describe how defenders might build and tailor a cyber-deception chain to mitigate an attacker’s actions within the cyber attack lifecycle. While we stress that this chapter describes a concept and not an operational system, we are currently engineering components of this concept for ACD and enabling defenders to apply such a system.

Cyber-D&D Lifecycle Management

Like any other capability to be introduced into an organization, cyber-D&D must be carefully coordinated and managed to achieve the desired results. Figure 9.1 shows the most significant facets of lifecycle management.

Intrusions, Deception, and Campaigns

Cyber intrusions consist of cyber attack campaigns, composed of cyber kill chains, which include various cyber attacks, composed of multiple attacks steps. The defender aiming to defeat such cyber intrusions, or reduce their impacts, can use cyber D&D against the attacker. Our analysis reveals opportunities for cyber-D&D at each phase of this cyber intrusion model. In this chapter we examine cyber-D&D options for the various phases of the cyber kill chain, and propose a model for planning, preparing, and executing active defense cyber-D&D operations. The chapter concludes with an examination of how to advance mission goals across intrusion campaigns by developing deception campaigns.Cyber intrusion tactics and strategies have advanced considerably over the last two decades. Analysts have drawn on empirical observations to formulate high-level models of cyber intrusions. The four-tiered pyramidal model of intrusions in Fig. 3.1 depicts various granularities of abstractions in such models.

Human Nature and Cyber Weaponry: Use of Denial and Deception in Cyber Counterintelligence

With the increase use of cyber weapons for Internet-based cyber espionage, the need for cyber counterintelligence has become apparent, but counterintelligence remains more art than science because of its focus on tricking human nature—the way people think, feel, and behave. Nevertheless, counterintelligence theory and practice have been extended to domains such as industry and finance, and can be applied to cyber security and active cyber defense. Nonetheless, there are relatively few explicit counterintelligence applications to cyber security reported in the open literature. This chapter describes the mechanisms of cyber denial and deception operations, using a cyber deception methods matrix and a cyber deception chain to build a tailored active cyber defense system for cyber counterintelligence. Cyber counterintelligence with cyber deception can mitigate cyber spy actions within the cyber espionage “kill chain.” The chapter describes how defenders can apply cyber denial and deception in their cyber counterintelligence operations to mitigate a cyber espionage threat and thwart cyber spies. The chapter provides a hypothetical case, based on real cyber espionage operations by a state actor.

Cyber-D&D Case Studies

To highlight the benefits and challenges associated with cyber-D&D and explore aspects of operational implementation, we present two case studies: one based on accounts of the Stuxnet intrusion that damaged Iran’s uranium enrichment facilities and the other a notional depiction of an espionage-motivated intrusion. The Stuxnet cyber-sabotage case showcases extensive use of offensive cyber-D&D at the technique, tactical, operational, and strategic levels. The fictional case study illustrates how elements of cyber-D&D can be used defensively against APT attempts at cyber espionage.

Bridging the Classical D&D and Cyber Security Domains

This chapter uses a traditional framework called the D&D methods matrix as a foundation for describing the basics of D&D in the physical world, extends the D&D matrix to cyber security, and then outlines a set of techniques for applying D&D in the cyber security context. These descriptions can be combined with the cyber-D&D TTP taxonomy in Appendix A to guide understanding of how D&D is used in the cyber domain. We examine the organizational requirements for planning and executing successful defensive cyber-D&D operations, introducing both physical and virtual D&D tactics relevant to each quadrant of the D&D methods matrix.

Exercising Cyber-D&D

This chapter examines the components necessary to conduct operational Red/Blue team exercises that incorporate cyber-D&D. As an example, we describe a research experiment referred to as SLX II in which Blue network defense personnel used cyber-D&D against a Red threat actor. This experiment demonstrated the value of adding D&D TTPs to traditional CND and the importance of cyber intelligence. The inclusion of D&D TTPs led to the successful neutralization of the attacker’s compromise of the defender’s operational planning communications.

Countering Denial and Deception

In this chapter we explore cyber-counterdeception (cyber-CD), what it is, how it works, and how to incorporate it into cyber defenses. We review existing theories and techniques of counterdeception and adapt them for usage by cyber defenders in conjunction with their deception chains and deception campaigns. In so doing we present a cyber-CD process model, then apply it to the Mandiant APT1 case. Our goal is to suggest how cyber defenders can use cyber-CD, in conjunction with defensive cyber-D&D campaigns, to detect and counter cyber attackers.

Capability Maturity Model

As cyber-D&D becomes a well-recognized, mainstream technique in cyber defense operations, a capability maturity model (CMM) can enable organizations to assess their readiness to conduct cyber-D&D operations. The systematic framework provided by a CMM enables organizations to implement a strategic cyber-D&D capability, assess the maturity of that capability over time, and estimate the capabilities of cyber adversaries.