Live in a world where you make the rules

It's time the bad guys see things your way!


Deception isn't some radical new approach to engage in warfare. In fact, it's been a tactic used for thousands of years and the threat landscape you're battling on is built upon it.


Make no mistake, there is a war under way to keep personal and corporate assets safe and sadly it will never end. There is a continuous need to improve security postures and it is driven by the persistence of human natures ugliest traits.


“There is a war under way to keep personal and corporate assets safe and sadly it will never end. There is a continuous need to improve security postures and it is driven by the persistence of human natures ugliest traits.

In keeping with a war-time theme let's consider military strategist, and United States Air Force Colonel John Boyd and the OODA loop (observe–orient–decide–act) he developed and how enterprises are traditionally operated and defended.

We've done it to ourselves


If you’re like most, your initial conclusion about leveraging the OODA strategy is that if you complete the loop before an adversary, you will win. This is a perfect example of the point we want to illustrate.


We have been trained to see the four words and arrows in the cycle and then draw a conclusion. Like most, your interpretation would be based on surface-level information and you wouldn’t recognize two critical considerations (or opportunities) in the process of executing the strategy which are “perspective” and “creativity”, each critical to the “Observe” and “Orient” phases respectively.


Unfortunately, defensive strategies and controls have become predictable providing cyber criminals with a significant advantage. It can be argued that before an attacker engages an environment they have a deeper low-level understanding of the environment than those who own it. Frankly, this isn't a shocker.


Acknowledging flaws


The common flaw in human thinking that Boyd looked to overcome with his strategy is that people see what they want, what ought to be according to a norm, only then to make predictable decisions that present vulnerabilities to be exploited.


The above graphic illustrates Boyd's thinking.


Boyd's OODA strategy requires much more thoughtfulness to be effective. It directs an individual or group to identify and utilize an unexpected position of observation, one that an adversary did not anticipate, and from that vantage point base decision making. Of course, taking corrective action (aka. Act) is required, but traditionally that hasn’t been the problem in the process of defending an environment.


Time to break with tradition


Traditionally, defenders have been trained to identify valuable IT/OT assets and processes and then build defenses around them in accordance with risk tolerances, frameworks, standards, and a myriad of other factors. Out with the old, in with the new, everything is patched, keep up with the threat landscape, blah, blah, blah. Take a step back and admire all your hard work that has resulted in a target rich environment! Pick your vertical, size of an organization, geographic location, colors in a logo, etc., on a daily basis we have a plethora of incidents to read about in environments where traditional defensive measures were adhered to. The bottom line, what has become tradition is in fact a failure to prevent compromise.


Admit you don't know what you don't know


Consider how a malware developer or attacker thinks about and see's your environment. Think about the knowledge that is required to create and successfully use those tools against a well-guarded defense-in-depth environment successfully. It quickly becomes an overwhelming exercise and the mind races to dark places looking for answers.


In reality, can you, or those you count on to defend your environment, provide a detailed explanation of the design of computer cache or how it's used by your favorite operating system or application? What about the protocols running across your environment? Can you/they explain the protocol standard specification of just one of those protocols versus how it has been implemented by your chosen network device manufacturer or firewall provider?


The fact of the matter is it's not practical, nor is it necessary, to employ this low-level knowledge. Even if you were in the know, what change could you actually impose on the technology your adversaries consider as targets? Are you going to have operating systems and applications recompiled? Are you prepared and capable of going even lower to the chip-level next? Where does it stop?


Stop being predictable


Just face it and recognize that your adversaries know you've deployed unadulterated information, operational, and defensive technologies that follow low-level rules in order to work together and they know where the vulnerabilities are and how to exploit them.


It's your environment and nothing says you can't be creative and dare I say it, deceitful in how your environment is being presented. Think about what an adversary's "Observe" experience is like when they engage your environment.


To illustrate this concept consider the game of chess. Traditionally, both players can see one another’s game pieces and their respective positions upon which movement decisions are made. Skilled players will anticipate several series of movements to gain the upper hand and will sacrifice pieces in movements to entrap their opponent.


In our “game” as “defenders”, our opponents can see our pieces, their respective capabilities, and potential value. Often, we cannot see our adversaries until it is too late.


Change the rules and don't tell anyone

When it comes to defending your organization, you have the power to make the rules and feel free to change them at any point as many times as you like.

Now imagine having the empowerment to add additional game pieces to your arsenal at any point. You can put those pieces into play whenever you desire, and you change your perspective to that of your adversary to paint a different picture for them to observe, one they expect to see. Even if we still cannot see their playing pieces or read their minds, we

have significantly changed the game to our benefit.


When you apply cyber deception to an enterprise you're playing by your new rules. You're manipulating what is presented to adversaries and can direct their behavior. When an adversary makes a move on one of your "deceptions" you're immediately notified and back in control with actionable information and we're pre-empting where our adversaries expect us to engage them in the kill chain.


Applying these concepts and methodology is fundamental to effective cyber deception programs. We’re simply using different tactics than what the masses (good and bad) have become accustomed to and therefore we become unpredictable to our adversaries.


When it comes to defending your organization, you have the power to make the rules and feel free to change them at any point as many times as you like.

2 views0 comments