Title: Dr.%20Stilianos%20Vidalis
1The Role of Deception in CND IO
- Dr. Stilianos Vidalis
- Information Security Research Group
- J133 School of Computing
- University of Glamorgan
- 0044 (0)1443 482731
- svidalis_at_glam.ac.uk
2Pro-logos
- At the beginning there was light
- then the cosmos
- then all the species
- and finally there was WAR!!!
3Threat Assessment
- A threat assessment is a statement of threats
that are related to vulnerabilities, an
organisations assets, and threat agents, and
also a statement of the believed capabilities
that those threat agents possess. - Threat f (Motivation, Capability, Opportunity,
Impact)
4Motivation
- Motivation is the degree to which a threat agent
is prepared to implement a threat. - The motivational factors are the elements that
drive a threat agent to consider attacking a
computer system - political, secular,
- personal gain,
- religious, revenge,
- power, terrorism,
- and curiosity
- Q Can we deceive Them in believing that they do
not want to target us?
5Capability
- Capability is the degree to which a threat agent
is able to implement a threat - The availability of a number of tools and
techniques to implement an attack, and the
ability to use the tools and techniques
correctly. - The availability of education and training to
support the correct use of various tools and
techniques. - The level of resource that a threat agent has, or
can acquire over a certain time. - Q Can we deceive Them in believing
- that they are not able to target us?
6Opportunity
- The easiest of the 3 to manage?
- Opportunity can be defined as a favourable
occasion for action. - Past
- make sure that threat agents will be in no
position of creating or exploiting opportunities.
- Present
- Risk is not managed by as but by the threat
agents, so concentrate on Motivation
7Threat Agents?
- The term threat agent is used to denote an
individual or group that can manifest a threat. - Hackers are good people!!!
- .
- .
- .
- .
8Threat Agent Categories
Corporation
Nation States
Threat Agents
Partners
Competitors
Non-Target Specific
Natural Disasters
ESA
Terrorists
Organized Crime
Employees
Gangs (blocks)
Political parties
Staff
Bacteria
Political
Fire
Flood
Gangs (city)
Media
Lightning
Religious
Contractors
Worms
Vermin
Fatria (national)
Enthusiasts
Wind
Cleaners
Anarchists
Trojans
Sand
Guards
Fatria (international)
Activists
Frost
Logic Bombs
Earthquake
Trapdoors
Operations Staff
Vandals
General Public
Viruses
Maintenance Staff
Extremists
Religious Followers
Governments
9Why do we analyse Them?
- It is a game, the aim achieve information
superiority - We need to understand what motivates them
- We need to know of their technical and
educational capability - We need to know how they think
- Security has to be proactive and not reactive
10How do we analyse Them?
- We start by identifying them
- Threat agent catalogue
- Historical threat agent data
- Environmental reports
- Knowledge of personnel
- Stakeholder List
11How do we analyse Them?
12How do we analyse Them?
- Capability capability metrics available on
request - Opportunity
- Access to Information
- Changing Technologies
- Target Vulnerability
- Target profile
- Public Perception
- Motivation
13InfoSec Requirements
- the activities to protect hardware, software
and intangible information at the hardware and
software levels (E. Waltz) - Information has three abstractions data,
information knowledge - When threat agents acquire knowledge then they
are able to launch active attacks with high
probability of success. - Q How do we ensure information superiority?
14IO Taxonomy
IO Layer IO Layer Function NETWAR
Offence Perceptual Manage perception, Disrupt decision processes PSYOPS, Deception
Offence Information Dominate information infrastructure NETOPS
Offence Physical Break things, Incapacitate/kill people Physical destruction
Defence Perceptual Protect perceptions and decision-making processes Intelligence, Counterintelligence
Defence Information Protect information infrastructure INFOSEC
Defence Physical Protect operations, protect people OPSEC
15What do we do!!!
- Could we possibly deceive threat agents?
- Through deception we can manage our adversarys
perception and disrupt his decision-making
processes. - The outcome can be twofold
- either the defenders have time to react and
deploy the necessary countermeasures (or finely
tune the existing ones), - or the threat agent will call off the attack and
return to the information gathering process in
order to re-examine his plan of action.
16Is there a limit?
- Facts
- Infrastructures follow a certain logic which
allows threat agents to easily enumerate them - Administrators introduce vulnerabilities to their
system in order to make their lives easier - The users of a system are its biggest
vulnerability - Argument
- Can we use deception techniques on our own users?
17Security through Deception
- Actions executed to deliberately mislead
adversary military decision makers as to friendly
military capabilities, intentions, and
operations, thereby causing the adversary to take
specific actions that will contribute to the
accomplishment of the friendly mission - Deception can be used in two ways for ensuring
security - Simulating showing the false, drawing attention
away from the real - Dissimulating hiding the real, producing
confusion about what is real
18Technical Solution
- G4DS system that brings enterprises together in
virtual communities in order to identify and
monitor threat agents - Virtual Honeypots system that takes input from
G4DS in order to perform near real-time threat
agent deception
19Deception Methodology
- Everything should be dedicated to the execution
of the deception - Intelligence must be brought fully into the
picture - Intelligence must be assessed
- Secrecy must be enforced
- The deception plan must be designed at the top
levels - Full implementation consistency of all elements
of deception - Deception must be continuous
20Epi-logos
- Need to move reference point from risk assessment
to threat assessment - Need to be able to identify and monitor threat
agents - Hackers are good people!!!
- G4DS system that brings enterprises together in
virtual communities in order to identify and
monitor threat agents - Virtual Honeypots system that takes input from
G4DS in order to perform near real-time threat
agent deception
21Questions?