Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Saturday, April 06, 2013

A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them.

Last month Heckman, a researcher for the non-profit IT research corporation MITRE, gave a talk with fellow MITRE researcher Frank Stech at Purdue’s Center for Education and Research in Information Assurance and Security and described a cyber war game scenario MITRE played out internally in which she and Stech tried an unorthodox defensive strategy: Instead of trying to purge a Red Team of hackers from a Blue Team’s network they were defending, Heckman and Stech let the attackers linger inside, watched them, and fed them confusing misinformation. Although both Heckman or Stech declined to talk to me about their lecture, the presentation (video here) suggests an alternative approach to what the cybersecurity industry calls “advanced persistent threat” (APT) hackers–state-sponsored, sophisticated intruders who have penetrated hundreds of corporations and government agencies in recent years and siphoned vast amounts of information.


In MITRE’s five-day virtual war game, which the group played out in late January of 2012, the Blue Team was given a mission titled Operation Beggar’s Banquet, of killing a fictional terrorist leader named Richard Hakluyt. The scenario dictated that Hakluyt had holed up in a compound in the fictional People’s Republic of Virginia, (represented by the Red Team) which was in a state of cold war with the equally fictional Republic of New England, represented by Blue. Blue’s secret mission was to parachute a special operations group next to Hakluyt’s compound, which would use a laser designator system to help a gunship target the compound and blow it up, before deploying a Fulton Surface-To-Air-Recovery plane to retrieve the special ops team.

While the game was still in its first day of pre-action planning, Red’s hackers immediately breached Blue’s network and gained access to all of its mission plans, which had been stored on an internal wiki.

Stech and Heckman had worked on a so-called “denial and deception” system they called BlackJack, which they planned to use to create a parallel version of Blue’s network in real time to misdirect Red’s hackers with false information.

According to Heckman and Stech, Blue used those hacked accounts to feed Red a story about a member of Blue’s team who had foolishly planned to kill Hakluyt when in fact, a murder would be too politically incendiary to risk. Blue went on to create an alternate story that it planned to instead track and then kidnap Hakluyt by using information provided by a double agent within Red’s team that Blue called “Cotton Dollar.” Blue used its compromised accounts to feed Red information about when it planned to use its informant Cotton Dollar’s information to send a special forces team to kidnap Hakluyt during a trip outside the compound.

Richard Bejtlich, chief security officer with the breach response firm Mandiant, which recently detailed in a report hundreds of breaches by a prolific team of sophisticated Chinese government hackers, says that creating a fake playground for observing and misinforming intruders can be a costly and dangerous game. Or you have to do so much work setting up a juicy fake network that I pretty much guarantee it takes more time to set up than it takes the intruder to figure out that it’s fake.”


Posted on 04/06