Reverse Deception: Organized Cyber Threat Counter-Exploitation (23 page)

Even more recently, Major General Wang Pufeng, a former Director of the Strategy Department, Academy of Military Science, Beijing, wrote (in “The Challenge of Information Warfare,”
China Military Science
), “Counter reconnaissance [is necessary] to prevent the opponent from obtaining information about the true situation. For example, secret falsification can be used to plant false intelligence and false targets in the place of true intelligence and true targets to confuse the real and the false and muddle the opponent’s perceptions and inspire false assessments. When conditions exist, active methods may be used to engage in interference to blind or even destroy the opponent’s reconnaissance instruments.”

His message here is clear: every path to every goal along the journey will have numerous paths of deceit embedded within. Truth will be protected by lies and lies by truth. The web must be tight, complete, and totally controlled.

A second level of complexities emerges here where this deception operates and exists in solitude, but woven by the master weaver who sits at a loom to create a blanket. Each deception is so simple it could stand on its own, but like a flower on the side of a mountain, it would be out of place if not for the vibrant community of flowers that cover the face of the mountain. So it is with the historical populace of the Chinese deception strategy within their Information Operations doctrine.

It is discouraging how many people are shocked by honesty and how few by deceit
.

—Noel Coward

Even more recently, there were reports of the People’s Liberation Army (PLA) advancing their cyber-deception capabilities through a coordinated computer network attack and electronic warfare integrated exercise. The Chinese strategy is to conduct an active offense to achieve electromagnetic dominance. In light of their ongoing research and development efforts, it is extremely likely that the Chinese will continue to bolster their Information Operations posture.

Just within the past few years, it has been noted that the PLA has organized and staffed cyber-attack units with civilian computer and IT experts, as well as militia and active military forces. Although there is debate as to the staffing level and resources dedicated to their efforts, there is no doubt as to the dedication and intentions outlined in the Chinese doctrine (as noted by LTC Timothy L. Thomas, in “China’s Electronic Strategy,”
Military Review
, May–June 2001).

Now we know why the Chinese have successfully used deception for more than 2,000 years and continue to use it today. Over the centuries, numerous countries have employed military deception in some form in order to achieve specific goals. You’ll notice that the Chinese are heavily referenced here, due to their extreme confidence and success in executing deception in both war and their society through the years.

One of the most important things to think about is why we continue to use deception. What is the benefit, if any? Deception is not the end-all solution to executing the perfect plan, but it may help you defend against an active persistent threat within your enterprise. Any edge in an engagement during combat operations could prove immeasurably valuable and ultimately swing a battle one way or another. Deception, although sometimes very complicated, can be employed for relatively little cost; it’s basically an economic decision.

In the following sections, we’ll take a look at how the use of deception has provided benefits in several situations.

The First US Army Group Deception

During World War II, both the Axis and Allies used deception extensively. Neither re-created deception doctrine; both drew on historical lessons from Sun Tzu and his polar opposite, Carl von Clausewitz, as well as other existing doctrine to achieve their goals. Sun Tzu believed deliberate deception planning led to a commander’s success. Clausewitz believed the mere activities of battle led to sufficient confusion, thereby allowing for success. In that, Sun Tzu believed that information superiority was the key to success, Clausewitz took a dialectical approach to military analysis such that he would explore numerous options before drawing a conclusion, which has led to many misinterpretations of Clausewitz’s magnum opus,
On War
. Clausewitz believed that in the “fog of war,” information (be it accurate, incomplete, or even dubious) was subject to the human factors of disillusionment, confusion, doubt, and even uncertainty; the essential unpredictability of war was preeminent. With either Sun Tzu’s or Clausewitz’s philosophy, there were numerous opportunities for the belligerents to inject strong and compelling deceptive stories.

A myriad of techniques and tactics were employed at different times in the war. Inflatable vessels and vehicles were some of the props that were used by the First US Army Group (FUSAG), a fictitious group that was activated in London in 1943. Although the inflatable were of little value, due to the limited ability of the Nazis to reconnoiter (observe and assess a specific area prior to military encampment) the staging area, the other aspects of the FUSAG deception played a big role in selling the activity to Erwin Rommel and Adolf Hitler.

Truth is often the favorite tool of those who deceive
.

—Bryant H. McGill

FUSAG was an Allies invention designed to deceive Hitler about the details of the invasion of France. FUSAG was activated to participate in Operation Quicksilver, which was the deception plan attached to the D-Day invasion. The Allies needed to convince Hitler that the actual assault to establish the Western Front would be at the Pas-de-Calais, approximately 300 kilometers away. The Allies knew that if the plan was to be successful, the German decision makers must be deceived to act in a way that would be favorable to the Allies.

The need was so compelling that the deception planners petitioned for the placement of George S. Patton in command to display to the Germans that the highest level of interest was in the success of this unit. General Dwight Eisenhower agreed with the planners and assigned General Patton as the commander (much to Patton’s dismay, since he believed he should be leading the assault and not playing along as the commander of a notional unit). The size of FUSAG, both in manning and equipment, was at a deficit, which mandated creativity.

Hitler and Rommel both believed that the invasion of France was coming at the Pas-de-Calais, so they refrained from dedicating the reserve of Panzers to Normandy. This was critical in allowing the Allies to establish an initial
beachhead
(reach the beach and begin to defend that ground to advance from that initial landing point), and proceed with follow-on operations.

Applying to Cyber

You need to consider that portions of your network are currently compromised and being held by an external hostile entity. Whether the attack is targeted or opportunistic, establishing a safe portion of your network to serve as your beachhead can allow you to begin to engage your threat without your threat being able to reconnoiter that initial staging area of defense.

So, from a military standpoint, we see how deception can enable operations, but what about in other areas? Almost every human at some point has been involved in some level of deception. This natural ability can be applied to the cyber world as well.

Do you think you are an honest person? Do you play fair? You drive the speed limit, always tell the truth, and obey all stop signs. And if you’re caught stealing a base, you escort yourself off the field in the event of a close call. You are a good, fair person, but has anyone ever said that you have a “poker face”? You just engaged in a form of deception. Now is that fair? Is that nice? No one at the card table knows if you are telling the truth or lying. Lying can help you win. If the ends justify the means, you might be able to explain that this is the right thing to do. The bottom line is that you do not want anyone else at the poker table to know what you have because secrecy and deception give you the tactical advantage you need to win. Of course, everyone else at the table is doing it, too, because they want to win. You will need to figure out who is bluffing and who is not bluffing if you are going to be successful.

The systems within your enterprise are similar conceptually, as each has its own form of a poker face when infected by an active threat. You won’t know which was infected until it shows its hand by signaling or transmitting outside the enterprise. Keep in mind that deception is an important tool that is used by both sides: the attacker and the defender.

Russian Maskirovka

The use of deception is not independent from other governmental and cultural norms. A government’s use of deception in operations reflects not just the climate of that government, but also goes much deeper and embodies its culture. Political philosophy and practice can also influence whether a nation employs deception.

We have taken a brief look at the Chinese use of deception, but countries all over the world employ some level of deception. Consider how the Russians use deception to achieve their goals. Historically, we know that every subject taught in Soviet schools was infused with the communist ideology of Lenin, Marx, and Engels. Since the fall of the Soviet Union in 1991, there are some indicators that things have changed with the new Russian Federation. However, it was the corruption that ensued from the failed (or incomplete) communist dictatorship state that gave birth to a military marshal law state, which always has elements of control, deception, and corruption.

Maskirovka
is the Russian word for a collective of techniques regarding deception. Historically, it is translated to mean concealment or camouflage. The interesting point here is that in a battlefield scenario, concealment protects only from observation. It does nothing to protect against actual gunshots, tanks, mortar rounds, or rockets. If the camouflage does not work, the consequences could be quite disastrous. The same is true for nonkinetic activities, such as the war of words when countries or organizations knowingly deny involvement in a specific act or series of events. For example, consider Iran’s defense of its nuclear energy efforts, only to have a government site write about a soon-to-come nuclear bomb. There are examples of countries all over the world participating in cyber espionage and not acknowledging the acts in and of themselves. The words that come from the leaders are one form of deception, which can be easily identified as such when the cyber espionage is detected and attributed to the origin or source (the country who swore it had no part in cyber espionage).

I have discovered the art of deceiving diplomats. I tell them the truth and they never believe me
.

—Camillo di Cavour

Deception Maxims

Contrary to popular theory, deception maxims are not derived by the military intelligence community, but are a joint development effort from the operational elements and intelligence organizations from both military and nonmilitary organizations. Maxims are conceived from psychology, game theory, social science, historical evidence, and decision analysis theory. There are ten deception maxims that are used by the military.

In the DoD context, it must be assumed that any enemy is well versed in DoD doctrine. This means that anything too far from normal operations will be suspected of being a deception even if it is not. This points to the need to vary normal operations, keep deceptions within the bounds of normal operations, and exploit enemy misconceptions about doctrine. Successful deceptions are planned from the perspective of the targets
.

—
Field Manual 90-02: Battlefield Deception, 1998

Understanding that the adversary is expecting deception and knows the doctrine of how it is employed is of paramount importance in developing and executing a successful deception campaign. All deception planning must be developed with these parameters in mind so that the executions are not something that will be obviously out of place and a dead giveaway.

The following sections discuss the ten military maxims, as presented in
Joint Publication 3-13.4, Military Description
, Appendix A.

“Magruder’s Principle”—Exploitation of a COG’s Perception or Bias

People believe what they believe. During Operation Desert Storm, Sadam Hussein believed that there would be an amphibious landing to start the invasion of Iraq. He believed the attempt to run cross country in the
blitzkrieg
style was suicide because his defenses were well supplied and staggered throughout the desert, making for a solid wall of resistance. General Norman Schwarzkopf used his personal experience and knowledge of tactics to deceive his adversary, who had oriented his forces to defend against the amphibious invasion that never came. Basically, it is easier to persuade COGs to maintain their preexisting belief than to deceive them by changing their belief.