Reverse Deception: Organized Cyber Threat Counter-Exploitation (July 2012) was written by Sean Bodmer (@spydurw3b), Max Kilger (@digitalprofiler), Gregory Carpenter and Jade Jones. All authors either are or have been associated with the U.S. DoD and have knowledge & experience from (varying) military contexts. Below are the notes I took while reading this book. Unless mentioned otherwise, hyperlinks are mine.
I was happy to see that the authors start off by referencing Joint Publication 3-13.4 Military Deception (.pdf, 2006) and Fundamental Elements of the Counterintelligence Discipline (.pdf, 2006), the latter being a study by (or on behalf of) the U.S. Office of the National Counterintelligence Executive (NCIX). The book at times follows a structure in the form of: “cite from military/CI literature, then explain how it applies to the cyber realm”. Although not every item from non-cyber literature can be mapped to cyber in an obvious way, this text structure inspires readers to dream up possible mappings themselves. The authors reference a lot of stuff from military context that I was previously unaware of, such as the Soviet concept of Reflexive Control (.pdf, 6MB) by Vladimir and Victorina Lefebvre.
Deception is explained by and large in terms of manipulating the behavior of another to the benefit of oneself without the permission of the other. It is stated that the intent of deception is “to get the adversary to act confidently and predictably”.
Below are my notes for each chapter.
CHAPTER 1: STATE OF THE ADVANCED CYBER THREAT
On p.4, a list of criteria is provided that “should be identified as quickly as possible in order to discern between a Persistent Threat and an Advanced Persistent Threat” (these criteria are referenced throughout the book):
- Risk tolerance (by the adversary)
- Skills and methods
- Attack origination points
- Numbers involved in the attack
- Knowledge source
Next, the authors map these criteria onto Moonlight Maze, Stakkato, Titan Rain, Stormworm, GhostNet, Byzantine Hades aka Foothold aka Candor aka Raptor, Operation Aurora, Stuxnet, RBN, “next generation of botnets and operators” (weird item in this list) and Operation Payback.
CHAPTER 2: WHAT IS DECEPTION
On p.25, the six principles of (military) deception are cited from JP 3-13.4:
- Focus: The deception must target the adversary decision maker capable of taking the desired action(s);
- Objective: The deception must cause an adversary to take (or not to take) specific actions, not just believe certain things;
- Centralized planning: MILDEC operations should be centrally planned and directed in order to achieve unity of effort;
- Security: Friendly forces must deny knowledge of a force’s intent to deceive and the execution of that intent to adversaries;
- Timeliness: A deception operation requires careful timing and action;
- Integration: Fully integrate each military deception with the operation that it is supporting.
These principles are then explained in detail.
From p.40, the authors list and explain ten deception maxims that are used by the military:
- Magruder’s Principle (exploitation of adversary’s perception or bias)
- Limitations to Human Information Processing
- Multiple Forms of Surprise; following the SALUTE maxim from reconnaissance reporting:
- Jones’ Dilemma (i.e.: deception becomes more difficult as the number of channels of information available to the target increases. However, within limits, the greater the number of controlled channels the greater the likelihood the deception will be believed)
- Choice of Types of Deception
- Husbanding of Deception Assets
- Sequencing Rule (i.e., deception activities should be sequenced so as to maximize the portrayal of the deception story for as long as possible)
- Importance of Feedback
- Beware of Possible Unwanted Reactions
- Care in the Design of Planned Placement of Deceptive Material
CHAPTER 3: CYBER COUNTERINTELLIGENCE
This chapter begins by explaining the 19 items that aforementioned study by NCIX on counterintelligence (CI) identified as skills every CI-professional should have:
- Knowledge of National CI Structure and Agency Missions
- Knowledge of Interagency Memoranda of Understanding and Procedure
- Knowledge of Foreign Intelligence Service or Terrorist Group Culture and Tradecraft (which the authors chose to explain by merely including the know-your-enemy quote from Sun Tzu)
- Basic Investigative and Operational Techniques and Tools (authors reference the US-DoJ report Investigative Uses of Technology: Devices, Tools, and Techniques (.pdf, Oct 2007)
- Asset Development and Handling (Including Difference Between Liaison and Clandestine Sources)
- Asset Validation
- Interviewing and Debriefing Techniques
- Surveillance and Countersurveillance
- Principles of Collection and Analysis
- Research and Technology Protection
- Operational Cycle for Double Agent Operations (who, what, when, where, why, how)
- Identification of critical information
- Analysis of threats (Insider threats, Extremists, Foreign Intelligence Services, Terrorist groups foreign/domestic, Hackers/crackers, Organized crime groups, Criminals)
- Analysis of Vulnerabilities
- Assessment of Risk
- Application of OPSEC measures
- Legal Aspects of Investigations, Including Executive Order 12333, the Attorney General Guidelines, and the Foreign Intelligence Surveillance Act
- Joint and Interagency Operations
- Listening, Communication, and Writing Skills
- Knowledge of CI Terminology
- Reporting Procedures and Methods
- Classification and Dissemination Rules
The authors proceed by elaborating on the nine criteria for distinguishing between PT and APT. For every criterion except “Resources” and “Knowledge source”, the authors propose that it can be assigned an escalating threat level between 1 and 10. Examples are provided of how/what event to map to which threat level. I’m not confident that such mappings will work in practice, and the provided mappings are not very convincing — but I’m willing to try. Imperfect (and probably rather subjective) quantification may help “sizing up” a threat. For the “Resources” and “Knowledge source” criteria, the authors suggest qualitative explanations.
Interesting reference in the conclusion: http://www.cyberlawclinic.org/casestudy.asp
CHAPTER 4: PROFILING FUNDAMENTALS
This chapter refers to research done on the profiling of cyber adversaries, notably:
- Kilger, Stutzman and Arkin, (2004) “Profiling.” In The Honeynet Project Know Your Enemy. Addison Wesley Professional (pp. 505-556)
- Holt and Kilger (2008), “Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers” ($), 2008 WOMBAT Workshop On Information Security Threats Data Collection and Sharing (pp.67-78). Amsterdam
- Chiesa and Ducci (2009), “Profiling Hackers: The Science of Criminal Profiling Applied to the World of Hacking” (Amazon). Boca Raton: Auerbach Publishing.
- Parker, Shaw, Stroz, Devost and Sachs (2004), “Cyber Adversary Characterization: Auditing the Hacker Mind” (.pdf). Rockland, MA: Syngress.
- Bongardt (2010), “An introduction to the behavioral profiling of computer network intrusions” (.html), Forensic Examiner.
Profiling is then dissected into Retrospective vs Prospective Profiling, and Inductive vs Deductive profiling.
The following Information Vectors are discussed: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections. The latter is illustrated w/a social network plot of Russian hacking gangs.
The chapter contains an excellent list of references at the end.
CHAPTER 5: ACTIONABLE LEGAL KNOWLEDGE FOR THE SECURITY PROFESSIONAL
Short (15 page) chapter that references various online sources for court cases (Fastcase.com, FindLaw.com, Justia.com, Google Scholar, Nolo.com), explains a few legal concepts (Annotated codes, Bill, Bill number, Chapter, Chaptered, Citation, Code, Engrossed, Enrolled, Legislative history, Session Laws, Statutory scheme, and Title) and provides concise information on how to interprete a statute (law) and how to communicate w/lawyers.
CHAPTER 6: THREAT (ATTACKER) TRADECRAFT
Interesting collection of very recent (May 2012) information pertaining to cybercrime, including screenshots taken from underground fora and exploit kit control panels, list of recent exploit kits. list of vulnerabilities observed in recent exploit kits. Also contains a proper level of detail on the underground economy (leasing/subleasing models for pwned access, prices, etc).
CHAPTER 7: OPERATIONAL DECEPTION
Four detective-style “tall tales” about operational deception that the authors state to have taken from real life (pseudonomized), each compelling (to me anyway) and containing a proper level of detail (also but not primarily technical).
CHAPTER 8: TOOLS AND TACTICS
Good discussions on honeypots/nets/walls, including sme (101–level) honeynet architecture (centralized, distributed, federated, confederated). Also contains concise overview of tools such as Metasploit, IDA Pro, Encase, THC Hydra, FOCA and Backtrack. (Obviously, if you are seeking to learn how to -use- these tools, you want to RTFM. This book has a different focus.)
CHAPTER 9: ATTACK CHARACTERIZATION TECHNIQUES
Comprehensive analysis of (only) SpyEye (Zeus-like) trojan w/many screenshots, statistics and graphs (SpyEye by country, # of SpyEye hosts by ASN. List of ASN names + country codes of ASNs highest in use by botnet operators.
CHAPTER 10: ATTACK ATTRIBUTION
Excellent chapter on profiling. Mentions research on “sentiment-identification engines” (e.g. Saplo Sentiment Analysis, Alchemy Sentiment Analysis) and “WarmTouch” (anyone know a URL for that?) to assess the level of threat posed by a specific insider (Shaw and Stroz,2004), and that “the automation of the analysis of socially meaningful objects is still in its very early stages”.
The subchapter “Profiling Vectors” elaborates upon the vectors discussed earlier in chapter 4. It slightly overlaps / repeats statements from chapter 4 and uses slightly different words to refer to the same concepts:
- Chapter 4: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections
- Chapter 10: time, motivations (MEECES: Money, Ego, Entrance to Social Group, Cause, Entertainment, Status), Social Networks, Skill Level
Next, strategic applications of profiling are discussed.
The final part of the chapter focuses on “the civilian cyber warrior”, “an emerging archetype that appears to have the potential to become a very serious threat withn the cyber threat matrix”. The authors state that the power relation between the nation-state and the individual is changing to the benefit of the latter; it is pointed out that this might also hold for Chinese criminal hacking gangs vs the Chinese govt. (Be reminded that not every Chinese hacker is in cahoots w/the Chinese govt.)
This chapter has another good list of references at the end.
CHAPTER 11: THE VALUE OF APTS
This chapter discusses the economic value of APTs. It refers to Value Network Analysis (VNA). Such analysis is then (informally) applied to the RSA hack of 2011 and to Operation Aurora. For the latter, it is suggested that from the perspective of the adversary, “it’s as if they were following a typical business plan”:
- Step 1: Obtain a Financial Stream (Victim: Morgen Stanley)
- Step 2: Customer Lock-in for Recurring Revenue (Victim: Symantec)
- Step 3: Expand into New Markets (Victim: Juniper Networks)
- Step 4: Diversify Commercial Offerings (Victim: Canadian Dow Chemical)
- Step 5: Reduce Infrastructure Costs (Victim: Rackspace)
- Step 6: Repeat Steps 3-5 (Victims: Adobe and Northrop Grumman)
The final part of the chapter discusses the topic of stealing Bitcoins, using a fictional scenario of an application used by migrant workers to “easily send money to their family or anyone else in their social network”.
CHAPTER 12: WHEN AND WHEN NOT TO ACT
Common sense suggestions for deciding whether, once a threat has been identified, to block or to monitor it, and how to communicate within your organization and w/law enforcement.
CHAPTER 13: IMPLEMENTATION AND VALIDATION
Deming-style management cycle explained: Observe-Orient-Decide-Act. Discusses how to ‘vet’ deceptions, perceptual consistency and engagements.
SpyEye trojan is extensively revisited w/many additional screenshots and explanations of features.
At the end it is mentioned that “[t]o date, honeypots have been widely distributed only by a handful of private organizations and vendors. There are small groups within international governments, like the United States, United Kingdom,China, and the United Arab Emirates, who have a national-level based honeygrid (…).”
If you want to learn / be inspired to think about deception/MILDEC as means of counterintelligence (CI) in cyberspace, I recommend this book. If you already work in CI, you may find it useful to evaluate your existing beliefs. The book will not provide a ready-to-implement deception strategy, but does provide plenty (and good) information and references that will get you started. As always, RTFM; in this case the Joint Publications and referenced research.
Minor editorial comments: the pie chart on p.5 needs better explanation (what am I looking at?). On p.11 it is stated: “The method is in use today, and has been defined as phishing, spear phishing, and whaling”; the “NOTE”-box on that page then only defines “spear phishing” and leaves out “whaling”, while the latter is a far less well-known term. The book contains overly repetitive quotes (Sun Tzu ad nauseam) and, as if the authors ran out of serious sources for quotes, a quote from Men in Black and a quote from Ghostbusters. On p.64, a little bit of text was written from the “I”-perspective, but it is not clear which of the four authors wrote that text and hence unclear who “I” refers to. These are, however, nitty gritty unimportant details that are -completely- trumped by book’s overall merits.
- 2014-xx-xx: “The Devil Does Not Exist: The Role of Deception in Cyber” – video of Black Hat 2014 USA talk by red teaming expert Mark Mateski (Twitter: @redteamjournal)
- 2002-xx-xx: The Moral Limits of Military Deception ($, academic paper, John Mark Mattox)