Reverse Deception: Organized Cyber Threat Counter-Exploitation
by S. Bodmer, M. Kilger, G. Carpenter and J. Jones
amazon.com USD 26.40
Table of Contents
Reviewed by Richard Austin 3/14/2013
Though deception in various forms (such as spoofing a network address, posing as a trusted colleague, malware masquerading as a vendor security update) plays a significant part in many successful intrusions, security professionals have likely never considered how deception could become a tool in defending their networks and the assets.
Deceptions, whether conducted by an adversary or defender, are complex tasks that rely on a good understanding of goals and tactics. This understanding begins with knowledge of the adversary (capabilities, motivations, and tactics). The authors introduce some useful terminology in the introduction (and develop it fully in later chapters) by distinguishing between advanced persistent threats, persistent threats and opportunistic threats.
Most of us are familiar with the "opportunistic threats" (also called "commodity threats"), such as common varieties of malware which target any vulnerable host they happen to encounter. Persistent threats are more targeted at specific types of information and include the capability (persistence) to remain active for an extended period. The dreaded "advanced persistent threat" is a qualitative enhancement of the persistent threat and implies a better funded, technically capable adversary willing to take multiple steps in achieving his objective (for example, compromise the vendor of a common security product used by the target organization in order to illicitly access its sensitive intellectual property). The authors introduce 9 dimensions (e.g., objectives, resources, adversary risk tolerance, etc.) for classifing a threat on the opportunistic-APT continuum.
The deception process, as the authors are careful to note, is a two-way street where both sides of the interaction may be actively attempting to deceive the other at various times during the engagement. This maddening situation is aptly called the "hall of mirrors". To be successful in deceiving an adversary, the deception must be carefully planned and supported - for example, a HoneyNet with a trove of fascinating documents will quickly lost its attraction unless the documents have appropriate creation dates and can be seen to change and be updated over time. Readers are frequently reminded that deception always has the purpose (guide the adversary into some preferred action or inaction) of reaching some desirable conclusion, and these purposes must be clearly identified before the deception is undertaken.
When one use a phrase like "engage an adversary", visions of lawsuits spring to mind. The vision is possible if one does not prepare appropriately before taking action even within the confines of one's own perimeter. As the authors note, the key is to work with competent legal counsel to assure that the contemplated course of action is legally permissible. This "Duh!" advice is followed by a solid discussion of how to actually talk to an attorney so he understands what you are proposing to do and why it makes sense to do it; then he can advise you appropriately. This attitude of actively partnering with legal advisors would go a long way toward ending the entrenched perception that one "shouldn't bother asking legal because they will just say NO!".
Historical examples, relevant case studies (thoroughly sanitized), good illustrations and many examples illustrate the concepts in operation. Copious references are provided so readers can dig deeper into topics of interest.
As with any book by multiple authors, there is some unevenness of presentation that should have been addressed in the final editing process. There are also some mystifying statements such as "When it comes to cyber espionage, if your adversary can dive into all your secrets without performing any type of kinetic warfare" (p. 148). Since espionage is not generally considered an act of war, I suspect the author was making the point that cyber espionage does not necessarily require risky real-work actions such as recruiting and operating agents, gaining physical access to an adversary's bases, etc. Acronyms abound so readers are well advised to maintain a list in order to avoid flipping back and forth to decode "SSCT" or "TTP".
This book is a masterful presentation of deception, how it works, how to understand it and how it may be used as another tool in defending your organization's assets. Given our constantly evolving threat environment, contributions to increasing our understanding and enhancing our defensive arsenal are sorely needed. Definitely a recommended read.
It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines on which might profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org