SlideShare a Scribd company logo

Cyber D&D

Download as PPTX, PDF
S
Sachin Nandakumar

It is now widely recognized that traditional approaches to cyber defense have been inadequate. Boundary controllers and filters such as firewalls and guards, virus scanners, and intrusion detection and prevention technologies have all been deployed over the last decade. Based on the IEEE paper, Denial and Deception in Cyber Defense, it assumes that an adversary will breach border controls and establish footholds within the defender’s network. So we need to study and engage the adversary on the defender’s turf in order to influence any future moves. A key component in this new paradigm is cyber denial and deception (cyber D&D). The goal of D&D is to influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour.

Technology
1 of 55
CYBER D&D
Shut Up Carl! DENIAL Prevent adversary from gaining useful information
Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
Deception Appearances can be deceiving
Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
Better you don’t think about it right now ;)
Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
PHASES OF DECEPTION CHAIN
Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
C llect Intelligence WHAT the adversary will observe?
C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
Design Cover Story BUT MISLEADS THE ADVERSARY
Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
Planning Plans to use Denial tactics and Deception tactics
Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
Planning Deception tactics: MIMIC INVENT DECOY DOUBLE PLAY
Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
CYBER KILL CHAIN Recon Weaponize Exploit Control Execute Maintain
CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
• Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
Finishing Touches…
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.
Cyber D&D

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processesGlen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysisNur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processesGlen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysisNur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normativeGlen Alleman
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Samuel Gher
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Association for Project Management
 
Root causes
Root causesRoot causes
Root causesGlen Alleman
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisRicardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)bfriday
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50Rick Lemieux
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 
Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possessionbethantaylor99
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessSophia Royle
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & ValvesPeter Wilson
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 

More Related Content

What's hot

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normativeGlen Alleman
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisRicardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)bfriday
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 

What's hot (16)

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
 
Root causes
Root causesRoot causes
Root causes
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
 

Viewers also liked

Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possessionbethantaylor99
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessSophia Royle
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & ValvesPeter Wilson
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanPost Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 

Viewers also liked (6)

Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possession
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small Business
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & Valves
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 

Similar to Cyber D&D

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data scienceSpartan60
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxfestockton
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...CompTIA
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSaqib Raza
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kitbronxfugly43
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsJayeshGadhave1
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring SecurityChris Mullins
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids Sudhir Upadhyay
 

Similar to Cyber D&D (20)

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kit
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Cyber D&D

  • 2. Shut Up Carl! DENIAL Prevent adversary from gaining useful information
  • 3.
  • 4. Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
  • 5. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
  • 6. TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
  • 7.
  • 8. Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
  • 10. Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
  • 11. Better you don’t think about it right now ;)
  • 12. Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
  • 14.
  • 15. Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
  • 16. C llect Intelligence WHAT the adversary will observe?
  • 17. C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
  • 18. C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
  • 19. C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
  • 20. Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
  • 21. Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
  • 23. Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
  • 24. Planning Plans to use Denial tactics and Deception tactics
  • 25. Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
  • 28. Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
  • 30. Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
  • 31. Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
  • 32. Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
  • 33. Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
  • 34. Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
  • 35. MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
  • 36. CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
  • 38. CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
  • 39. CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
  • 40. CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
  • 41. • Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
  • 42. Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
  • 43. Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
  • 44. Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
  • 45. Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
  • 46. To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
  • 48. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
  • 49. Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
  • 50. Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
  • 51. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
  • 52. Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
  • 53. Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
  • 54. Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.