National Cyber Deception Symposium 2019
The National Cyber Deception Symposium, hosted by the UK MoD’s Defence Academy and Defence Cyber School.
Cranfield Defence and Security in association with the Defence Cyber School is proud to facilitate the UK’s first National Cyber Deception Symposium. Cyber Deception exploits technical assets such as honey pots and honey tokens to spy on and manipulate the activities of a network attacker. This inaugural event will look at Cyber Deception in a national defence context across the 6 layers of cyberspace; from the physical through to the persona and social layers.
The programme of speakers will explore current practice and expand the scope of this rapidly developing new area. We will provide a stage for Cyber Defenders to share their operational challenges; for researchers and commercial organisations to showcase their exciting new research interests; and for the wider community to explore the art of the possible for deception to form part of a successful Cyber Defence strategy.
Cyber Deception is tipped to be one of the biggest growing sectors of Cyber Defence and Security in the coming years. Join us to explore this fascinating and expanding field of professional practice.
Downloads
Cyber Deception
Symposium Agenda
Inaugural Address
Symposium Overview
Flyer
Abstracts from Presentations
Attivo, Mark Howell and Nick Palmer
Cyber Deception in Commercial Practice, Lessons from 5 years of customer experiences – use cases, findings and deployment methodology.
In this presentation, Attivo will demonstrate an operating model for delivery of advanced detection of cyber threats on networks using deception. The talk will centre around real-world use cases where users can deploy deception to more effectively catch advanced malware and human attackers and deliver high quality telemetry about their methods, likely motives and affiliations. We will examine the challenges and solutions of using deception in a production network and discuss a number of actual examples where attackers have been caught by deception when all other detection methods failed. Further to this, the discussion will turn to the deployment methods available to deploy a deception solution on to the network quickly, and how to demonstrate value to organisations that their investments in deception and the wider security ecosystem have been worthwhile. This will include sample reference architectures, data-driven approaches to deception, how to craft compelling deceptive environments, how to exempt legitimate sources from analysis and what happens when you detect an attacker using deception.
FireEye - Proactive Cyber Defence
FireEye currently tracks 41 suspected nation-state, Advanced Persistent Threat actor groups, as well as over 15,000 cyber criminal groups. The cyber threat landscape grows in complexity year on year and attackers’ ability to innovate continues to outpace cyber defenders’ ability to respond. Globally, governments, law enforcement agencies and militaries are often poorly equipped to anticipate cyber intrusions and deploy innovative countermeasures with speed and agility. FireEye’s Mandiant Consulting experts have developed a Pro-Active Cyber Investigation Model that can be employed to deceive, disrupt and deter adversaries in the cyber domain, as well as provide insights that may assist ultimate attribution. The use of such tools under this model requires authorisation for deployment based on the well-established principles of necessity and proportionality by entities that have the authority to act. This presentation will outline FireEye’s latest thinking on measures that can be employed to equip cyber defenders with more advanced capabilities and allow them to keep pace with, and get ahead of, attackers.
Proactive Cyber Defence that Gets to the Heart of the Attacker - Pete Cooper Atlantic Council
“The image of our cyber adversaries is often one that is hooded and crouched over a computer. Our defensive approach to our adversaries is to counter them, tech for tech, shot for shot – and we are losing. Continued, rolling overmatch means that we are losing to the extent that there are now calls for hack-back and expanding our technical war with our adversaries.
But how we view our cyber adversaries is holding us back in how we defend ourselves. They think nothing about attacking the human element of the defensive team, however hard we try, the human element continues to be a weak defensive link. But what if we took the same approach as our adversaries and stop thinking of them as extensions of their computers, but as human beings with the same human errors, biases and weaknesses as ourselves? How can we layer in deception, subverting adversary decision making and transform how we defend?
This presentation will take you on a journey about how to change your thinking about how to defend against our adversaries. Developed and refined over a number of years of defensive and offensive operations, this is a journey and approach that shifts the defensive team to a proactive footing that gets right to the heart of the human attacker.
How can the cybersecurity team work together with your board to change how your adversaries view and approach you as a target? How can you take that to the extent that you can minimize risk, learn what’s coming and be ready for it?
Once your adversaries are set on you as target, what can you do to distract, divert and minimize the risk that they will successfully find a way into your organization?
Once they successfully compromise your organization, how can you counter them not just at the technical level, but at the human level as well?
Using examples that bring this approach to life, the presentation will demonstrate that far from running out of ideas of how to counter our adversaries, we have a huge untapped capability that doesn’t require massive technical ability to roll out and isn’t expensive. It is an organizational mind-set, culture and use of deception that puts the defender back on the front foot. By the end of the presentation, the attendees will have enough knowledge to be able to develop the approach in their own organizations and quickly see results.”
Roke - Breaking the honeypot
Whilst honeypots come in many shapes and sizes, they tend to follow the rule that the more realistic they are, the longer it takes to design, craft, configure, tune and monitor them. Roke set out to break this convention by designing and building a honeypot that minimised the human craft time whilst still producing a ‘viably realistic’ Windows honeypot network. This presentation will take you through our thought process and touch on elements of our design including orchestration for monitoring, user emulation and… time travel…
Temmie Shade – NSA
Cyber Deception, an inherently interdisciplinary domain, exists at the intersection of computer science and the social sciences. Since human behavior is at the root of cyber offense and defense, understanding human behavior and leveraging this understanding for the defender’s advantage are the foundations of defensive cyber deception. Deception techniques affect the operator behind the keyboard who is attempting to complete a mission and should have a stronger and longer-lasting impact than simply detecting or impeding attacker actions on the defended system. Defensive deception provides promise in rebalancing the asymmetry of cyber defense. Deception makes an attacker’s job harder because it does more than just block access; it impacts the decision making of attackers, causing them to waste both time and effort as well as expose their presence in the secure network. Deception has the potential to be a game changer for cybersecurity.
I will present an overview and selected research results from our efforts in both understanding operators’ online behavior and the effects of deception for cybersecurity.
Thales - Mike Westmacott
This research exploits existing work into cyber security game theory and high TRL deception technology, to develop an end-to-end methodology for predicting and disrupting cyber-attacks on military mission systems.
Cyber deception is the art of protecting systems from being attacked by deploying system elements that are deceitful, instrumented to provide high levels of monitoring, and influence attacker behaviours. The presented methodology for designing, integration and testing deception both predicts attacker behaviour and frustrates their activities.
The methodology and toolset described give an initial tactical and strategic toolkit for mission commanders that will enable them to utilise cyber deception in a wide variety of formats – campaigns, capabilities, deployed and operational configurations, and to include both military operations and business functions. These outputs would develop and mature over time both in terms of increasing its TRL, but also in terms of the range of capabilities it offers.
It will provide a strong predictive decision support capability enabling the user to understand when and where to use deception, how to predict adversary plans, goals, and what their actions may be. Deception may then be used to gain early warnings of attacks, to observe an attacker and obtain TTPs, and IOCs, and to plant deceptive military information and data.
The following are valid use cases for this methodology:
- Detect – Obtain early warning of external attacks
- Divert – Move attackers away from critical systems
- Deceive – Deliver false military data and information
The methodology and toolset that this research is developing would allow a mission commander to understand when and where to use predictive-orientated cyber deception –
- Static, permanent, deployment – for permanent infrastructure systems – detection and diversion may be most appropriate
- Deployed – for systems in the theatre – deception may be more appropriate for certain missions
The inclusion of CVI components means that the mission and attack modelling for a mission would have already been completed, leaving mission commanders in a position to then select the best approach for their own goals and objectives, and to use a toolkit to be able to add deceptive elements to their environment.
The presentation will introduce our methodology, how we propose it would be used to analyse missions and to construct deception campaigns that support mission requirements, and how develop and integrate a deception system into a mission system.
Vertical Knowledge - Fox in the VK Sandbox_NCDL Abstract
Highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive national security and economic data. The ease which adversaries are able to breach our cyber security defenses is significantly reducing the technological gap among our respective militaries and continues to erode a critical advantage in the international arena. As the attack surface continues to rapidly expand towards fully netted global connectivity, attackers consistently demonstrate an ability to attain the higher ground. Advanced Persistent Threat (APT) actors continue to shift from casting wide nets on intended targets towards hyperfocused attacks, aided by automated and artificial intelligence tools enabling access to specific targeted material. APT actors commonly engage in long-term campaigns to compromise target networks, seeking first to gain, then maintain, a hidden presence. They live in the noise of networks and defeat reactive, rule-based cybersecurity defenses by constantly developing malicious tactics, techniques, and procedures. They are able to gain access to sensitive data, compromise operations and critical infrastructure networks through advanced techniques such as polymorphic and obfuscated malware, dynamic infrastructure, file-less malware and hijacking legitimate operating system functions, all which evade traditional cybersecurity defenses. From a conventional warfare perspective, passive reactive engagement to cybersecurity is strategically misguided.
Traditional approaches to cyber defense must evolve and enterprises must go on the offensive through persistent engagement and adopt a ‘defend-forward’ cyber strategy. Proactive cyber defensive measures designed towards the defend-forward paradigm can corrupt and steer adversaries’ decisions: (1) deflect them to false targets, (2) distort their perception about the environment (3) deplete their resources, and (4) discover their motives, tactics, and techniques. Active cyber defense, requires developing a defense system of an offensive nature, intended to confuse and deceive adversaries by leveraging uncertainty, reducing knowledge ordinarily obtained on target systems, or inserting false information causing a detectable reaction.
Defending forward requires appropriate Placement and Access within an adversary’s network for enhancing, amplifying, and inflicting technological or military surprise. Placement and Access provides the defender an ability to execute functions such as insertion of specially prepared data to impose a cost upon the attacker and illuminate their path of exfiltration. Placement and Access is the critical link necessary for developing debilitating countermeasures, a fundamental component of an active cyber defence strategy. Only through dynamic and adaptive deception strategies can you Sandbox the Fox – deflect, distort, deplete, discover and defend against advanced persistent threats.