Managing Network Security

The Deception Defense

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Recent Results

It has been some time since I got up on my soap box about the use of deception in defense of information systems, so I thought that this would be a good time to bring it back to the fore. It is particularly apropos because of the 'terrorism' war that has been declared and the extreme uses of deception in this effort by all sides. While I am typically one to roam from global politics to technical countermeasures and back all within a sentence, I promise that this time I will keep to the issues of deception in information technology... sort of.

It turns out that all of the results in deception to date have pointed to one inescapable conclusion. Deception works.

The reason it works is still under study, but there can be no doubt any more that it is highly effective as a defense. We are learning a lot about why it works, and the results to date bring us back to a fundamental principle of security that has spanned the ages. Information protection is, at its heart, a people problem.


How do you predispose?

The reason that deception works is primarily because of the presence of predispositions in humans and the technologies we create. Now I don't wish to leave the wrong impression. Our predispositions are the reason we are intelligent beings to the extent that we are so. Indeed, without predisposition we would not make the leaps from one thing to another that we are so good at doing. For example, our visual cortex develops mechanisms that are predisposed to believe that two sets of light flashes that are linear in shape and terminate in the same location relative to our visual field are in fact mechanical components that meet in three dimensional space. The reason this works so well is that, except in the rarest of circumstances, this effect is due to this cause.

The very predisposition that causes us to be able to rapidly comprehend a scene can be used against us to cause us to misinterpret it. This is the very nature of human - and human induced computer - cognition - and the very basis of successful deception.

In the computer world, people have very specific predispositions. One very good example is that people tend to trust the results generated by their tools unless the results are very unusual. Since all information gleaned by people from information systems involves the use of tools, we are, in some sense, fooling the user by fooling the person who created their tools.


You can fool some of the people...

It is the nature of deception that it is imperfect - just as realist is imperfect. No matter how we try to model it, we will always get surprises at some level every now and then.

On the other hand, when we don't use deception, we are practically guaranteeing that we don't fool any of the people any of the time. The net effect is that intelligence efforts against our networks are simple, effective, rapid, low cost. and reliable.

While some people may not be fooled by simple deceptions, recent experiments have shown that you can indeed fool some pretty good attackers all of the time - at least for some period of time - using recently developed deception technologies.


It's All The Rage

It also seems that deception has recently become quite popular as a defense. After a few years of experience, we are seeing more and more companies in this market, even though many are not advancing the technology beyond what existed five years ago. New is now always what's needed for success, and deception has been effective for thousands of years in one form or another.

In the early years, the big problem when trying to sell deception as a defense to people was that it would accidentally fool the systems administrators and legitimate users and waste their time. In the era when we are increasingly looking for solutions that work against insiders - even systems administrators - it is strange indeed to hear of an effective defense being criticized because it is effective against the very people we need defenses against. But that's not the whole story.

Indeed - when systems administrators do the wrong things they get fooled, detected, and defeated by deceptions. That is a very good thing. In all of the cases of real-world deceptions, there are only a very few cases of deceptions fooling systems or network administrators who were doing legitimate work, and in those cases, the deception was rapidly detected by the defender and the cost was slight. But there are many more cases of deceptions successfully detecting, defeating, and delaying insiders attempting to defeat protections.


Emerging Technologies

While the historical deception efforts have been somewhat clunky, recent advances are soon going to lead to a whole new generation of easily managed and controlled, low-cost but highly effective deception technologies. Here are some examples of things on the horizon. Expect them to be available for purchase in a few months.

It seems clear from these descriptions that we are just about to see a tremendous increase in the viability of deceptions for many businesses to use in defense of their computer systems and networks.


Conclusions

This one is simpler than most to summarize...

For more information on deceptions and deception for information protection, go to the all.net web site and press on "Deception for Protection". An extensive collection of information is available there.

On a side note, I am sorry for my lack of humor this month. Things have been very busy, and the death of many co-workers and friends in the greater security community along with poisons sent through the mail and bombing of other nation-states doesn't make it any easier.


About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/