Managing Network Security

The Unpredictability Defense

by Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


I was talking with Donn Parker, one of the brilliant carrer information protection professionals of our age, and he brought up a very interesting subject. He said, and I hope I don't misquote him, that in interviewing hundreds of computer criminals who had been caught, a few things stood out in common. One was that they all act in hard to predict ways. Another was that they depend on predictability of defenses as a cornerstone of their attacks. Many of them stated that unless they were certain of how and when things would happen, they would not commit their crimes. Furthermore, the way many of them were detected and caught was by unanticipated changes in the way the defenses worked. If Donn is right, as he almost always is about such things, a cornerstone of protection management may be to keep changing the way you do defense.

The Irrational

Most successful technologists spend much of their time understanding rational and predictable behavior of relatively simple systems (such as computers, phone systems, networks, and so forth). Most successful managers spend much of their time understanding the irrational and harder to predict behavior of people. It is this irrational (read unpredictable) behavior of people that makes technical defenses so difficult to perfect. Like the Turing machines inability to reliably predict whether a program will halt, the technical defense's inability to anticipate all possibilities limits its ultimate success.

While unpredictability of attackers makes defense far more difficult than it would otherwise be, unpredictability is a sword that cuts both ways. Most attackers depend on the predictability of the systems they attack for their success. For example, one of the resons that "social engineering" (read lying to get what you want) works so well is that the responses of most honest people are predictable. If you present a situation where the wrong thing seems like the right thing, most people will do the wrong thing. Similarly, most confidence games depend on the predictability of the victim. The perfect mark is someone who wants to get rich and who will take risks to do so. Greedy people have similar behaviors and that is how that attackers take advantage of them.

In order to make unpredictability work for the defender, the defense has to be unpredictable enough to deter and detect attacks. For example, one of the most effective auditing techniques is the unannounced audit. Announced or periodic audits give the bad guys time to cook the books, remove their Trojan horses, erase their tracks from the audit trails, and so forth. This is particularly effective against the insider threat.

The same unpredicatability principle can be used to make all sorts of attacks more difficult and more likely to be detected. While this technique has been applied in many areas, one of the areas it has only rarely been used in is the area of technical network protection.

The History of Technical Network Security Deception

Deception has had a long and prestigious history in technical defenses of networks, but dispite its great successes, it is not as widespread as other sortsof defenses.

Why Deception Defense Has Not Been Widely Used

Maybe the reason is that we have taught defenders to try to build perfect defenses, or perhaps it's because any hole is considered a major hole because it introduces the potential for such rapid and widespread expansion. But I think there are a few other reasons...

Before I address these particular concerns, I want to introduce you to the Deception ToolKit (DTK). DTK is a free toolkit for creating deceptive defenses against Internet-based attacks. It is available for free from over the Internet (details follow) and I offer it up for your consideration.

The Deception ToolKit

The Deception ToolKit (DTK) is a toolkit designed to give defenders a couple of orders of magnitude advantage over attackers. It can be found at the / Web site where you can download the DTK Version 0.0 software for free.

The basic idea is not new. We use deception to counter attacks. In the case of DTK, the deception is intended to make it appear to attackers as if the system running DTK has a large number of widely known vulnerabilities. DTK's deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attackers method. This has a few interesting side effects:

What The DTK Gets You

Remember the objections to deceptive defense? I thought it might be worth going over them again with some counterpoints.

Summary and Conclusions

DTK is only one example of a deceptive defense. There are many deception techniques in widespread use today, ranging from "sting" operations to fake cameras. They act as a deterrent to crime by making the criminal less certain and detecting crimes and criminals before they cause serious harm.

While deception is not the end all to network protection, it appears that deception is a viable technique and one worth exploring. It can be simple, inexpensive, and effective, and it benefits the good guys while making it harder on the bad guys.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at or visiting /