Last month Heckman, a researcher for the non-profit IT research corporation MITRE, gave a talk with fellow MITRE researcher Frank Stech at Purdue\u2019s Center for Education and Research in Information Assurance and Security and described a cyber war game scenario MITRE played out internally in which she and Stech tried an unorthodox defensive strategy: Instead of trying to purge a Red Team of hackers from a Blue Team\u2019s network they were defending, Heckman and Stech let the attackers linger inside, watched them, and fed them confusing misinformation. Although both Heckman or Stech declined to talk to me about their lecture, the presentation (video here) suggests an alternative approach to what the cybersecurity industry calls \u201cadvanced persistent threat\u201d (APT) hackers\u2013state-sponsored, sophisticated intruders who have penetrated hundreds of corporations and government agencies in recent years and siphoned vast amounts of information.<\/p>\n","protected":false},"excerpt":{"rendered":"
In MITRE\u2019s five-day virtual war game, which the group played out in late January of 2012, the Blue Team was given a mission titled Operation Beggar\u2019s Banquet, of killing a fictional terrorist leader named Richard Hakluyt. The scenario dictated that Hakluyt had holed up in a compound in the fictional People\u2019s Republic of Virginia, (represented by the Red Team) which was in a state of cold war with the equally fictional Republic of New England, represented by Blue. Blue\u2019s secret mission was to parachute a special operations group next to Hakluyt\u2019s compound, which would use a laser designator system to help a gunship target the compound and blow it up, before deploying a Fulton Surface-To-Air-Recovery plane to retrieve the special ops team.<\/p>\n
<\/p>\n
While the game was still in its first day of pre-action planning, Red\u2019s hackers immediately breached Blue\u2019s network and gained access to all of its mission plans, which had been stored on an internal wiki.<\/p>\n
<\/p>\n
Stech and Heckman had worked on a so-called \u201cdenial and deception\u201d system they called BlackJack, which they planned to use to create a parallel version of Blue\u2019s network in real time to misdirect Red\u2019s hackers with false information.<\/p>\n
<\/p>\n
According to Heckman and Stech, Blue used those hacked accounts to feed Red a story about a member of Blue\u2019s team who had foolishly planned to kill Hakluyt when in fact, a murder would be too politically incendiary to risk. Blue went on to create an alternate story that it planned to instead track and then kidnap Hakluyt by using information provided by a double agent within Red\u2019s team that Blue called \u201cCotton Dollar.\u201d Blue used its compromised accounts to feed Red information about when it planned to use its informant Cotton Dollar\u2019s information to send a special forces team to kidnap Hakluyt during a trip outside the compound.<\/p>\n
<\/p>\n
Richard Bejtlich, chief security officer with the breach response firm Mandiant, which recently detailed in a report hundreds of breaches by a prolific team of sophisticated Chinese government hackers, says that creating a fake playground for observing and misinforming intruders can be a costly and dangerous game. Or you have to do so much work setting up a juicy fake network that I pretty much guarantee it takes more time to set up than it takes the intruder to figure out that it\u2019s fake.\u201d<\/p>\n