I’ve been thinking about the role that deception can play in information security. Honeypots present an example of how data defenders can mislead or slow down attackers. Similarly, attackers can deceive defenders. For example, Nmap can spoof source IP addresses of network-scanning packets, so defenders have a hard time determining the true origin of the probes.
I stumbled upon a facinating paper by Donald J. Bacon titled Second World War Deception: Lessons Learned for Today’s Joint Planner (PDF). Among its many examples, the paper mentions two types of deception operations employed by Allied Forces to confuse and misdirect the German military during World War II:
- Ambiguity-type deception operations “created uncertainty and inhibited accurate intelligence assessments, resulting in a German misallocation of forces.”
- Misleading-type deception operations aimed at reducing ambiguity by “building up the attractiveness of one wrong alternative.”
The Allies were able to use deception to gain “surprise for offensive operations and to provide increased security for forces by masking military objectives, planning, preparations, and operations.”
The paper also mentions that Soviet military’s deception efforts during World War II were used primarily to “conceal large troop movements and concentrations to attain surprise for offenses.” The Soviets’ greatest victories in the war can be traced to their success at fully integrating deception “into their operational planning and execution. The result was the Germans often knew only the frontline Soviet troop dispositions—everything behind the front line was a ‘blur.’”
The paper quotes historian Charles Cruickshank, highlighting a critical aspect of successful deception:
"The perfect deception plan is like a jigsaw puzzle. Pieces of the information are allowed to reach the enemy in such a way as to convince him that he has discovered them by accident."
One of my take-aways from this paper is that deception efforts cannot be one-off projects. To be successful, they have to be centrally managed and integrated into the fabric of operations. This is why the use of deception might only be practical for mature and well-funded parties.
To what extent can deception be used as part of offensive and defensive information security operations? The efforts by the Honeynet Project have been instrumental at helping the infosec industry figure this out. I suspect there’s much more for us to learn about using deception to detect and resist network-based attacks.