Abstract
In this chapter we explore cyber-counterdeception (cyber-CD), what it is, how it works, and how to incorporate it into cyber defenses. We review existing theories and techniques of counterdeception and adapt them for usage by cyber defenders in conjunction with their deception chains and deception campaigns. In so doing we present a cyber-CD process model, then apply it to the Mandiant APT1 case. Our goal is to suggest how cyber defenders can use cyber-CD, in conjunction with defensive cyber-D&D campaigns, to detect and counter cyber attackers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Whaley (2006) further wrote: “Counterdeception is … now standard jargon among specialists in military deception. This useful term was coined in 1968 by Dr. William R. Harris during a brainstorming session with me in Cambridge, Massachusetts.” Harris’s papers, while widely influencing other scholars of deception and counterdeception, are hard to come by. Epstein (1991) cites William R. Harris (1968) “Intelligence and National Security: A Bibliography with Selected Annotations.” Cambridge MA: Center for International Affairs, Harvard University. Other relevant Harris counterdeception papers Epstein cited include “Counter-deception Planning,” Cambridge MA: Harvard University, 1972; and “Soviet Maskirovka and Arms Control Verification,” mimeo, Monterey CA: U.S. Navy Postgraduate School, September 1985.
- 2.
McNair, Philip A. (1991) Counterdeception and the Operational Commander. Newport RI: Naval War College.
- 3.
Bodmer et al. (2012) noted Chinese cyber deception in cyber wargaming (p. 82): “reports of the People’s Liberation Army (PLA) advancing their cyber-deception capabilities through a coordinated computer network attack and electronic warfare integrated exercise.” We found no references explicitly to cyber exercises of cyber-counterdeception.
- 4.
Rowe used the term counterdeception, we believe he meant what we term here counter-deception; Rowe, N. C. (2004) “A model of deception during cyber-attacks on information systems,” 2004 IEEE First Symposium on Multi-Agent Security and Survivability, 30–31 Aug. 2004, pp. 21–30. Rowe (2003) proposed a counterplanning approach to planning and managing what we term counter-deception operations; Rowe, N. C. (2003) “Counterplanning Deceptions To Foil Cyber-Attack Plans,” Proceedings of the 2003 IEEE Workshop on Information Assurance, West Point NY: United States Military Academy, June 2003. A recent description of counter-deception, “a multi-layer deception system that provides an in depth defense against … sophisticated targeted attacks,” is Wang, Wei, Jeffrey Bickford, Ilona Murynets, Ramesh Subbaraman, Andrea G. Forte and Gokul Singaraju (2013) “Detecting Targeted Attacks by Multilayer Deception,” Journal of Cyber Security and Mobility, v. 2, pp. 175–199. http://riverpublishers.com/journal/journal_articles/RP_Journal_2245-1439_224.pdf
- 5.
Rowe, N. C. (2006) “A taxonomy of deception in cyberspace,” International Conference on Information Warfare and Security, Princess Anne, MD.
- 6.
For a general analysis of denial techniques in cyber-counter-deception (cyber-C-D), see Yuill, Jim, Dorothy Denning, & Fred Feer (2006) “Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques,” Journal of Information Warfare. 5,3: pp. 26–40.
- 7.
The Economist (2014) “Banks and fraud: Hacking back--Bankers go undercover to catch bad guys,” The Economist, April 5th 2014. http://www.economist.com/news/finance-and-economics/21600148-bankers-go-undercover-catch-bad-guys-hacking-back
- 8.
Mandiant (2013) APT1: Exposing One of China’s Cyber Espionage Units. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf and Appendices.
- 9.
STIX and the STIX logo are trademarks of The MITRE Corporation. The STIX license states: The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Structured Threat Information Expression (STIX™) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided you reproduce MITRE’s copyright designation and this license in any such copy (see http://stix.mitre.org/).
- 10.
TAXII and the TAXII logo are trademarks of The MITRE Corporation. The TAXII license states: The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Trusted Automated Exchange Indicator Information (TAXII™) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided you reproduce MITRE’s copyright designation and this license in any such copy (see http://taxii.mitre.org/).
- 11.
Other than a few references to detecting deception in social engineering situations, we found no research on cyber-counterdeception, per se, in general searching of the scholarly literature.
- 12.
Some (e.g., Bennett and Waltz 2007) would credit “incongruity analysis” to R. V. Jones, and his theory of spoofing and counter-spoofing. See Jones, R. V. (2009) Most Secret War. London: Penguin, pp 285–291: “the perception of incongruity—which my ponderings have led me to believe is the basic requirement for a sense of humour—[concluding]… the object of a practical joke [is] the creation of an incongruity.”
- 13.
McPherson, Denver E. (2010) Deception Recognition: Rethinking the Operational Commander’s Approach. Newport RI: Joint Military Operations Department, Naval War College.
- 14.
For example, Heuer, Jr., Richards J. (1981) “Strategic Deception and Counterdeception: A Cognitive Process Approach,” International Studies Quarterly, v. 25, n. 2, June 1981, pp. 294–327.Whether or not deception is detected, assessing hypotheses regarding the adversary’s possible courses of action against the evidence provides useful insights into adversary intentions: “The [counterdeception] cell would be tasked to … [look] at the data from the enemy’s point of view. They would need to place themselves in the mind of the enemy, determine how they would develop a deception plan and see if evidence supports it. … The enemy may not be employing a deception plan, but the process will aid in exploring different enemy courses of action that may have been overlooked.” Heuser, Stephen J. (1996) Operational Deception and Counter Deception. Newport RI: Naval War College, 14 June 1996. Bruce and Bennett (2008) wrote: “the failure to generate hypotheses increases vulnerability to deception…One key to Why Bad Things Happen to Good Analysts has been conflicting organizational signals regarding promotion of overconfidence (“making the call”) versus promotion of more rigorous consideration of alternative hypotheses and the quality of information;” Bruce, James B. & Michael Bennett (2008) “Foreign Denial and Deception: Analytical Imperatives,” in George, Roger Z. & James B. Bruce (2008) Analyzing intelligence: origins, obstacles, and innovations. Washington DC: Georgetown University Press.
- 15.
- 16.
Heuer, Jr., R. J. (1981) “Strategic Deception and Counterdeception: A Cognitive Process Approach,” International Studies Quarterly, v. 25, n. 2, June 1981, pp. 294–327; Elsäesser, C. & F. J. Stech (2007) “Detecting Deception,” in Kott, A. & W. M. McEneaney eds (2007) Adversarial reasoning: computational approaches to reading the opponent’s mind. Boca Raton FL: Taylor & Francis Group.
- 17.
See Fischhoff, B., (1982) “Debiasing,” in Kahneman, D., P. Slovic, & A. Tversky, eds. (1982) Judgment under Uncertainty: Heuristics and Biases. Cambridge UK: Cambridge University Press, pp. 422–444.
- 18.
See Stech, F., and C. Elsäesser (2007) for review of the various counterdeception theories, “Midway Revisited: Detecting Deception by Analysis of Competing Hypothesis,” Military Operations Research. 11/2007; v. 12, n. 1, pp. 35–55.
- 19.
Heuer, Jr., Richards J. (1999) “Chapter 8, Analysis of Competing Hypotheses,” Psychology of Intelligence Analysis, Washington DC: Central Intelligence Agency. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/
- 20.
“2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.” Unit 61398 functions as “the Third Department`s premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence,” Stokes, M.A., J. Lin, and L.C.R. Hsiao (2011) “The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure,” Project 2049 Institute, 2011: 8, http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf
References
Bennett, M., & Waltz, E. (2007). Counterdeception principles and applications for national security. Norwood, MA: Artech House.
Bodmer, S., M. Kilger, G. Carpenter, and J. Jones (2012) Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill: New York.
Bruce, J. B. & M. Bennett (2008) “Foreign Denial and Deception: Analytical Imperatives”, in George, R. Z. & J. B. Bruce (2008) Analyzing intelligence: origins, obstacles, and innovations. Washington DC: Georgetown University Press.
Dawes, R.M. (2001) Everyday Irrationality: How Pseudo Scientists, Lunatics, and the Rest of Us Systematically Fail to Think Rationally. Boulder CO: Westview Press.
Economist (2014) “Banks and fraud: Hacking back--Bankers go undercover to catch bad guys”, The Economist, April 5th 2014. http://www.economist.com/news/finance-and-economics/21600148-bankers-go-undercover-catch-bad-guys-hacking-back.
Elsäesser, C. & F. J. Stech (2007) “Detecting Deception”, in Kott, A. & W. M. McEneaney eds (2007) Adversarial reasoning: computational approaches to reading the opponent’s mind. Boca Raton FL: Taylor & Francis Group.
Epstein, E. J. (1991) Deception: The Invisible War between the KGB and the CIA. New York: Random House.
Fischhoff, B. (1982) “Debiasing”, in Kahneman, D., P. Slovic, & A. Tversky, eds. (1982) Judgment under Uncertainty: Heuristics and Biases. Cambridge UK: Cambridge University Press, pp. 422–444.
Gerwehr, Scott, & Russell W. Glenn (2002). Unweaving the Web : deception and adaptation in future urban operations. Santa Monica: RAND.
Gilovich, T., D. Griffin, & D. Kahneman (2002) Heuristics and Biases. Cambridge UK: Cambridge University Press.
Harris, W. R. (1968) “Intelligence and National Security: A Bibliography with Selected Annotations”. Cambridge MA: Center for International Affairs, Harvard University. Cited by Epstein (1991).
Harris, W. R. (1972) “Counter-deception Planning”, Cambridge MA: Harvard University, 1972. Cited by Epstein (1991).
Harris, W. R. (1985) “Soviet Maskirovka and Arms Control Verification”, mimeo, Monterey CA: U.S. Navy Postgraduate School, September 1985. Cited by Epstein (1991).
Heuer, Jr., R. J. (1981) “Strategic Deception and Counterdeception: A Cognitive Process Approach”, International Studies Quarterly, v. 25, n. 2, June 1981, pp. 294–327.
Heuer, Jr., R. J. (1999) Psychology of Intelligence Analysis, Washington DC: Central Intelligence Agency. https://www.cia.gov/library/center-for-thestudy-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/.
Heuser, Stephen J. (1996) Operational Deception and Counter Deception. Newport RI: Naval War College, 14 June 1996. www.dtic.mil/cgibin/GetTRDoc?AD=ADA307594.
Hobbs, C. L. (2010) Methods for improving IAEA information analysis by reducing cognitive biases. IAEA Paper Number: IAEA-CN-184/276. http://www.iaea.org/safeguards/Symposium/2010/Documents/PapersRepository/276.pdf
Jones, R. V. (2009) Most Secret War. London: Penguin.
Mandiant (2013) APT1: Exposing One of China’s Cyber Espionage Units. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
McNair, Philip A. (1991) Counterdeception and the Operational Commander. Newport, RI: Naval War College.
McPherson, Denver E. (2010) Deception Recognition: Rethinking the Operational Commander’s Approach. Newport RI: Joint Military Operations Department. Naval, War College.
Rowe, N. C. (2003) “Counterplanning Deceptions to Foil Cyber-Attack Plans”, Proceedings of the 2003 IEEE Workshop on Information Assurance, West Point NY: United States Military Academy, June 2003.
Rowe, N. C. (2004) “A model of deception during cyber-attacks on information systems,” 2004 IEEE First Symposium on Multi-Agent Security and Survivability, 30-31 Aug. 2004, pp. 21-30.
Rowe, N. C. (2006) “A taxonomy of deception in cyberspace,” International Conference on Information Warfare and Security, Princess Anne, MD.
Stech, F., and C. Elsäesser (2007) “Midway Revisited: Detecting Deception by Analysis of Competing Hypothesis,” Military Operations Research. 11/2007; v. 12, n. 1, pp. 35-55.
Stokes, Mark. A., Jenny. Lin, and L.C. Russell. Hsiao (2011) “The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure,” Project 2049 Institute. http://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf.
Wang, W., J. Bickford, I. Murynets, R. Subbaraman, A. G. Forte and G. Singaraju (2013) “Detecting Targeted Attacks by Multilayer Deception,” Journal of Cyber Security and Mobility, v. 2, pp. 175–199. http://riverpublishers.com/journal/journal_articles/RP_Journal_2245-1439_224.pdf.
Whaley, B. (2006). Detecting deception a bibliography of counterdeception across cultures and disciplines (2nd edition). Washington, DC: Office of the Director of National Intelligence, National Intelligence Council, Foreign Denial and Deception Committee.
Whaley, B. (2007a). Stratagem: Deception and Surprise in War. Artech House: Norwood, MA.
Whaley, B. (2007b). The One Percent Solution: Costs and Benefits of Military Deception. In J. Arquilla & D. A. Borer (Eds.), Information Strategy and Warfare: A Guide to Theory and Practice. New York: Routledge.
Whaley, B. (2007d). Textbook of Political-Military Counterdeception: Basic Principles & Methods. Washington, DC: Foreign Denial & Deception Committee, August 2007.
Whaley, B. (2012). The Beginner’s Guide to Detecting Deception: Essay Series #1. Foreign Denial & Deception Committee, Office of the Director of National Intelligence, Washington, DC. Unpublished manuscript.
Wick, Adam (2012) “Deceiving the Deceivers: Active Counterdeception for Software Protection,” DOD SBIR Award O113-IA2-1059, Contract: FA8650-12-M-1396. http://www.sbir.gov/sbirsearch/detail/393779
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Heckman, K.E., Stech, F.J., Thomas, R.K., Schmoker, B., Tsow, A.W. (2015). Countering Denial and Deception. In: Cyber Denial, Deception and Counter Deception. Advances in Information Security. Springer, Cham. https://doi.org/10.1007/978-3-319-25133-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-25133-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25131-8
Online ISBN: 978-3-319-25133-2
eBook Packages: Computer ScienceComputer Science (R0)