UPDATE 2017-01-23: [U.S.] Air Force pursues advanced “deceptive” cybersecurity tactics (Defense Systems)
UPDATE 2014-08-15: updated Related-section and added citations from Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein).
Cryptome links (.pdf) to a copy of a presolicitation (original source) by the US Air Force for “capabilities for cyber resiliency” (BAA-RIK-14-07, dated August 1st 2014). That presolicitation mentions “cyber deception” (MILDEC) as a specific focus area for FY15-FY16:
FY15 – FY16 SPECIFIC FOCUS AREA: CYBER DECEPTION
Background: Deception is a deliberate act to conceal activity on our networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness and to influence and misdirect adversary perceptions and decision processes. Military deception is defined as “those actions executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.” Military forces have historically used techniques such as camouflage, feints, chaff, jammers, fake equipment, false messages or traffic to alter an enemy’s perception of reality. Modern day military planners need a capability that goes beyond the current state-of-the-art in cyber deception to provide a system or systems that can be employed by a commander when needed to enable deception to be inserted into defensive cyber operations.
Relevance and realism are the grand technical challenges to cyber deception. The application of the proposed technology must be relevant to operational and support systems within the DoD. The DoD operates within a highly standardized environment. Any technology that significantly disrupts or increases the cost to the standard of practice will not be adopted. If the technology is adopted, the defense system must appear legitimate to the adversary trying to exploit it.
Objective: To provide cyber-deception capabilities that could be employed by commanders to provide false information, confuse, delay, or otherwise impede cyber attackers to the benefit of friendly forces. Deception mechanisms must be incorporated in such a way that they are transparent to authorized users, and must introduce minimal functional and performance impacts, in order to disrupt our adversaries and not ourselves. As such, proposed techniques must consider how challenges relating to transparency and impact will be addressed. The security of such mechanisms is also paramount, so that their power is not co-opted by attackers against us for their own purposes. These techniques are intended to be employed for defensive purposes only on networks and systems controlled by the DoD.
Advanced techniques are needed with a focus on introducing varying deception dynamics in network protocols and services which can severely impede, confound, and degrade an attacker’s methods of exploitation and attack, thereby increasing the costs and limiting the benefits gained from the attack. The emphasis is on techniques that delay the attacker in the reconnaissance through weaponization stages of an attack and also aid defenses by forcing an attacker to move and act in a more observable manner. Techniques across the host and network layers or a hybrid thereof are of interest in order to provide AF cyber operations with effective, flexible, and rapid deployment options.
This focus area is currently envisioned to consist of two phases running approximately 12 months each. The first phase (Concept Development) will consist of one to three study efforts that will examine potential deception technologies that could be developed. This will focus on the description, design and development of techniques and technologies that could be employed in an Air Force network. These efforts will be brought to a proof-of-concept level, and the implementations will be evaluated at the end of this phase. In the second phase (Prototyping), also lasting approximately 12 months, one or more of the concepts that show promise will be further developed to produce a prototype system capable of demonstration in a relevant environment. The system(s) developed by the end of this phase will be evaluated. At the end of this second phase, a “go/no-go” decision will be made to determine if the prototype(s) will undergo further refinement, evaluation, and potential integration with an eye toward transition.
Questions regarding this focus area can be directed to:
As an indication of what deception is about, I cite the following from Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein):
- Six general principles for effective tactical deception (Fowler and Nesbitt, 1995)
- Deception should reinforce enemy expectations
- Deception should have realistic timing and duration
- Deception should be integrated with operations
- Deception should be coordinated with concealment of true intentions
- Deception realism should be tailored to needs of the setting
- Deception should be imaginative and creative
- Taxonomy of kinds of deception (Dunnigan and Nofi, 2001)
- Concealment (“hiding your forces from the enemy”)
- Camouflage (“hiding your troops and movements from the enemy by artificial means”)
- False and planted information (disinformation, “letting the enemy get his hands on information that will hurt him and help you”)
- Lies (“when communicating with the enemy”)
- Displays (“techniques to make the enemy see what isn’t there”)
- Ruses (“tricks, such as displays that use enemy equipment and procedures”)
- Demonstrations (“making a move with your forces that implies imminent action, but is not followed through”)
- Feints (“like a demonstration, but you actually make an attack”)
- Insight (“deceive the opponent by outthinking him”)
Related reading (partially thanks to Jim Henderson / Raytheon):
- 2015-03-17: International Conference on Deceptive Behavior (announcement; conf will be held 24-26 August 2015 at the University of Cambridge, UK
- 2014-07-28: First Global Deception Conference (write-up by Sophie Van Der Zee / Cambridge University)
- 2013: A Technique for Presenting a Deceptive Dynamic Network Topology (.pdf, MSc-thesis by Samuel T. Trassare)
- 2012: US Military Influence Operations (Cryptome)
- 2012: Performance Analysis of Cyber Deception Using Probabilistic Models (MSc-thesis by Michael B. Crouse)
- 2012: Reading Notes: “Reverse Deception: Organized Cyber Threat Counter-Exploitation” (Bodmer, Kilger, Carpenter and Jones, 2012)
- 2010: An exploration of defensive deception in industrial communication networks (.pdf, Julian L. Rrushi)
- 2010: Cyber Disrupt and Deny (Cyber D&D) (.pdf, Dennis J. Riechman)
- 2005: Computer Deception – Back to Basics (.pdf, MSc-thesis by Aasmund Thuv)
- 2004: Designing Good Deceptions in Defense of Information Systems (.pdf, Neil C. Rowe)
- 2004: The Ethics of Deception in Cyberspace (Neil C. Rowe)
- 2003: Counterplanning deceptions to foil cyber-attack plans (Neil C. Rowe)
- 2003: Confronting Cyberterrorism with Cyber Deception (.pdf, MSc-thesis by Kheng Lee Gregory Tan)
- [date unknown]: Deception in Cyber-Attacks (Neil C. Rowe and E. John Custy)
- [date unknown]: Two Taxonomies of Deception for Attacks on Information Systems (Neil C. Rowe and Hy S. Rothstein)
- [date unknown]: Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein)