Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
It has been some time since I got up on my soap box about the use of deception in defense of information systems, so I thought that this would be a good time to bring it back to the fore. It is particularly apropos because of the 'terrorism' war that has been declared and the extreme uses of deception in this effort by all sides. While I am typically one to roam from global politics to technical countermeasures and back all within a sentence, I promise that this time I will keep to the issues of deception in information technology... sort of.
It turns out that all of the results in deception to date have pointed to one inescapable conclusion. Deception works.
The reason it works is still under study, but there can be no doubt any more that it is highly effective as a defense. We are learning a lot about why it works, and the results to date bring us back to a fundamental principle of security that has spanned the ages. Information protection is, at its heart, a people problem.
The reason that deception works is primarily because of the presence of predispositions in humans and the technologies we create. Now I don't wish to leave the wrong impression. Our predispositions are the reason we are intelligent beings to the extent that we are so. Indeed, without predisposition we would not make the leaps from one thing to another that we are so good at doing. For example, our visual cortex develops mechanisms that are predisposed to believe that two sets of light flashes that are linear in shape and terminate in the same location relative to our visual field are in fact mechanical components that meet in three dimensional space. The reason this works so well is that, except in the rarest of circumstances, this effect is due to this cause.
The very predisposition that causes us to be able to rapidly comprehend a scene can be used against us to cause us to misinterpret it. This is the very nature of human - and human induced computer - cognition - and the very basis of successful deception.
In the computer world, people have very specific predispositions. One very good example is that people tend to trust the results generated by their tools unless the results are very unusual. Since all information gleaned by people from information systems involves the use of tools, we are, in some sense, fooling the user by fooling the person who created their tools.
It is the nature of deception that it is imperfect - just as realist is imperfect. No matter how we try to model it, we will always get surprises at some level every now and then.
On the other hand, when we don't use deception, we are practically guaranteeing that we don't fool any of the people any of the time. The net effect is that intelligence efforts against our networks are simple, effective, rapid, low cost. and reliable.
While some people may not be fooled by simple deceptions, recent experiments have shown that you can indeed fool some pretty good attackers all of the time - at least for some period of time - using recently developed deception technologies.
It also seems that deception has recently become quite popular as a defense. After a few years of experience, we are seeing more and more companies in this market, even though many are not advancing the technology beyond what existed five years ago. New is now always what's needed for success, and deception has been effective for thousands of years in one form or another.
In the early years, the big problem when trying to sell deception as a defense to people was that it would accidentally fool the systems administrators and legitimate users and waste their time. In the era when we are increasingly looking for solutions that work against insiders - even systems administrators - it is strange indeed to hear of an effective defense being criticized because it is effective against the very people we need defenses against. But that's not the whole story.
Indeed - when systems administrators do the wrong things they get fooled, detected, and defeated by deceptions. That is a very good thing. In all of the cases of real-world deceptions, there are only a very few cases of deceptions fooling systems or network administrators who were doing legitimate work, and in those cases, the deception was rapidly detected by the defender and the cost was slight. But there are many more cases of deceptions successfully detecting, defeating, and delaying insiders attempting to defeat protections.
While the historical deception efforts have been somewhat clunky, recent advances are soon going to lead to a whole new generation of easily managed and controlled, low-cost but highly effective deception technologies. Here are some examples of things on the horizon. Expect them to be available for purchase in a few months.
Pop-up deceptions: In this case you pop a CD into a computer and it instantly becomes a deception network. Recent experiments have demonstrated that such systems can be put in place in a matter of minutes and effectively defeat many automated attack programs, alert network administrators to attacker efforts, and be put up or taken down when and where needed to defeat an attacker in real-time. One of the most effective examples was a deception that tricked Code Red attack machines into crashing themselves. It was made functional on several networks in less than 5 minutes each using existing systems with a bootable CD for the deception.
Deception-based firewalls: Recent experiments have shown that deception-based firewalls were extremely effective against attackers of a wide range of skills. In some cases it cause attackers to move on to other systems, while in other cases, the defenses cause whole attack groups to become non-functional for periods of time. In even simple cases attackers who 'broke into' a deception system were convinced that they had defeated real systems to the point of 'declaring victory' and moving on to other networks.
Pocket-sized deceptions: We have one implementation of a deception that works on an IPAQ hand-held computer. You can literally turn your PDA into a deception system for a whole network in a matter of a minute or two, any if you have a radio LAN, you can create deceptions that roam from location to location picking up information on automated attack mechanisms as you go.
Deeply embedded deceptions: As we see more and more deception technology, more deeply embedded deceptions will lead to the ability for a single machine to create extremely rich and highly embedded deceptions. As a simple example, in one system we can emulate several other computers with different operating systems by using virtual machine technologies. Each machine can operate as a fully functional system of its sort and yet all of them are within a single physical computer and under the direct control of the deception control system.
Menu-based deception management: Menus have been implemented for select standard deceptions and as more and more situations are encountered requiring less and less sophisticated defenders, these menu-based interfaces will improve to the point of creating hundreds of different types of automatically configured, operated, and managed deception networks at the selection from a menu with the filling out of a simple form.
It seems clear from these descriptions that we are just about to see a tremendous increase in the viability of deceptions for many businesses to use in defense of their computer systems and networks.
This one is simpler than most to summarize...
It's cost effective as a defense.
It's operates as a very good intrusion detection system.
All of the claimed shortcoming never panned out.
More and more vendors offer it as a product or service
The cost is low and the effectiveness is high.
It provides a legal and ethical way to fight back against cyber attack.
For more information on deceptions and deception for information protection, go to the all.net web site and press on "Deception for Protection". An extensive collection of information is available there.
On a side note, I am sorry for my lack of humor this month. Things have been very busy, and the death of many co-workers and friends in the greater security community along with poisons sent through the mail and bombing of other nation-states doesn't make it any easier.
About The Author:
Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/