Deception Lessons for Information Security from World War II

I've been thinking about the role that deception can play in information security. Honeypots present an example of how data defenders can mislead or slow down attackers. Similarly, attackers can deceive defenders. For example, Nmap can spoof source IP addresses of network-scanning packets, so defenders have a hard time determining the true origin of the probes.

I stumbled upon a facinating paper by Donald J. Bacon titled Second World War Deception: Lessons Learned for Today’s Joint Planner (PDF). Among its many examples, the paper mentions two types of deception operations employed by Allied Forces to confuse and misdirect the German military during World War II:

  • Ambiguity-type deception operations "created uncertainty and inhibited accurate intelligence assessments, resulting in a German misallocation of forces."
  • Misleading-type deception operations aimed at reducing ambiguity by "building up the attractiveness of one wrong alternative."

The Allies were able to use deception to gain "surprise for offensive operations and to provide increased security for forces by masking military objectives, planning, preparations, and operations."

The paper also mentions that Soviet military's deception efforts during World War II were used primarily to "conceal large troop movements and concentrations to attain surprise for offenses." The Soviets' greatest victories in the war can be traced to their success at fully integrating deception "into their operational planning and execution. The result was the Germans often knew only the frontline Soviet troop dispositions—everything behind the front line was a 'blur.'"

The paper quotes historian Charles Cruickshank, highlighting a critical aspect of successful deception:

"The perfect deception plan is like a jigsaw puzzle. Pieces of the information are allowed to reach the enemy in such a way as to convince him that he has discovered them by accident."

One of my takeaways from this paper is that deception efforts cannot be one-off projects. To be successful, they have to be centrally managed and integrated into the fabric of operations. This is why the use of deception might only be practical for mature and well-funded parties.

To what extent can deception be used as part of offensive and defensive information security operations? The efforts by the Honeynet Project have been instrumental at helping the infosec industry figure this out in a research setting. In the recent years we have seen many start-ups enter the industry with approaches that employ deception-based techniques in a commercial setting.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more