The Air Force recently awarded the first phase of a contract for an eventual solution to provide cyber deception for network defense, according to a July 18 notice on the FedBizOpps contracting website. The contract was listed under the Small Business Innovation Research program, which aims for small businesses to engage in Federal Research/Research and Development (R/R&D) that have the potential for commercialization.
Details for the original contract, which were provided to C4ISRNET, indicate it was issued in August of 2015 and closed in October. The objective of the contract was for research and development of technology to provide a cyber deception capability that could be employed by commanders to provide a raft of capabilities such as false information to confuse, delay and impede cyber attackers.
The notice intends for the examination of attack steps by adversaries such as reconnaissance efforts — described as target research and identification — scanning to collect information to craft an attack, network access or intrusion and adversary's maintain network access once in. The hope is that examination of these tactics, techniques and procedures will help identify deception technologies that can be used to thwart attacks.
The Air Force indicated that similar solutions have already been used. They referenced "honey pots," which are designed to attract attackers into a closed network to either observe their behavior to inform future intelligence or merely thwart intrusions.
Similarly, DoD’s cyber forces are beginning to take a different approach in thwarting adversarial intrusion attempts in order to gain better intelligence on attackers’ tactics, techniques and procedures. In the past, where we might just block access into the network, [we want operators to] "think more deliberately as far as maybe we want to learn more about that malware," Maj. Gen. Paul Nakasone, U.S. Cyber CommandCYBERCOM Cyber National Mission Force commander, said in a briefing for reporters following the annual Cyber Flag exercise. "Let’s be able to cordon off an element of the network to see the malware develop. What’s the malware actually like … We learn based upon being able to replicate the threat and then be able to maneuver our forces to see what type of effect we can achieve."
The broader point is,Instead of just blocking attacks, he continued, it's important to understand what the adversary is trying to do — what are they looking for? How do they operate?
The Air Force noted that military deception includes actions "executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission." The military has used deception as a tool for thousands of years, the Air Force said, in one way or another. These tactics have included camouflage, feints, chaff, jammers, fake equipment, false messages or traffic. As officials have worked to apply doctrine to the cyber domain, many have described how age old truisms from the physical world are also relevant in the digital.
"It is believed that deception techniques, working in conjunction with normal cyber defense methods, can alter the underlying attack process, making it more difficult, time consuming and cost prohibitive," the notice said. "Modern day military planners need a capability that goes beyond the current state-of-the-art in cyber deception to provide a system or systems that can be employed by a commander when needed to enable additional deception to be inserted into cyber operations."
Washington state-based Veramine, established within the last year, was awarded $149,979 to perform work under the first of three phases of the contract. Phase I entails designing and developing technologies to be employed in a representative scenario based on the criticality of the cyber situation as well as comparative analysis with a proof of feasibility demonstration of enabling concepts. Veramine CEO Jonathan Ness told C4ISRNET that it's likely a few other companies were awarded contracts under this notice and the Air Force will down select Phase I awardees for Phase II, which involves a prototype. Ness said Phase I is mostly research based as the government is not looking for a final product just yet.
As a small startup looking to break through, Ness said he would be very disappointed if Veramine was not selected to participate in Phase II, which he said will likely be for two years and worth $2 million. He added he is hoping to leverage existing investments to help the Air Force in this space. The Air Force's notice said Phase III involves a cyber deception capability in military or commercial networks.
In the commercial sector, these types of technologies and techniques have been used for quite some time, Andrew Morris, a threat researcher at Endgame, told C4ISRNET. While he declined to comment on government use, Morris said honey pot technology and other deceptive technologies have been around for a while. It’s not uncommon, he said, for companies to set up fake services and servers that have no business value so activity traversing themit can inherently be classified as malicious. Morris noted that he does not view these techniques as a best practice and they are really only employed by the most mature companies such as those in the financial sector, colloquially considered one of the most advanced sectors in terms of cybersecurity.
The reason an organization or the government might be interested in these types of deceptive technologies for defense is to raise the cost on the adversary, Monzy Merza, Chief Security Evangelist at Splunk, told C4ISRNET. Both adversaries and defenders are resource bound, and a deceptive system, once live, doesn't need to be maintained as operational systems do. Adversaries, in turn, end up wasting their time and resources to attack a network that might not be real.
However, Merza cautioned against these solutions being a panacea for network defense. He pointed out that there is a body of literature that has found honey pots and deceptive systems have been largely unsuccessful at deterring or thwarting attacks. One reason for this is that attacks are not arbitrary probing but rather, attackers look for human interaction — phishing emails, social engineering, etc. It's tough to mimic human behavior with deceptive technology. Certain specialized systems such as industrial control systems could be easier to establish deceptive tools for.
The organizations that have been most successful at developing intelligence of adversaries, Merza added, hasn’t come from honey pots, but traditional malware or threat analysis with agents and sensors deployed on operational networks to observe behavior. To do Deceptive defense well, requires a lot of resources to set up a fake network, which Merza says, questions the entire reason for employing the systems in the first place: cost imposition on adversaries.
Other government agencies have pursued this line of effort. The Intelligence Advanced Research Projects Activity put out a request for information in June for solutions to "identify existing capabilities and emerging methods" for protecting data and systems by confusing and otherwise deceiving the adversary prior to and during a cyberattack.
IARPA's notice mirrored Morris's words concluding that this concept, while gaining traction in the private sector, has not fully matured. "Many techniques lack rigorous experimental measures of effectiveness; information is insufficient to determine how defensive deception changes attacker behavior or how deception increases the likeliness of early detection of a cyberattack," its notice said.
Furthermore, IARPA wants feedback on current deception methods and emerging techniques.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
