SlideShare a Scribd company logo

Cyber D&D

Download as PPTX, PDF
S
Sachin Nandakumar

It is now widely recognized that traditional approaches to cyber defense have been inadequate. Boundary controllers and filters such as firewalls and guards, virus scanners, and intrusion detection and prevention technologies have all been deployed over the last decade. Based on the IEEE paper, Denial and Deception in Cyber Defense, it assumes that an adversary will breach border controls and establish footholds within the defender’s network. So we need to study and engage the adversary on the defender’s turf in order to influence any future moves. A key component in this new paradigm is cyber denial and deception (cyber D&D). The goal of D&D is to influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour.

Technology
1 of 55
CYBER D&D
Shut Up Carl! DENIAL Prevent adversary from gaining useful information
Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
Deception Appearances can be deceiving
Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
Better you don’t think about it right now ;)
Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
PHASES OF DECEPTION CHAIN
Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
C llect Intelligence WHAT the adversary will observe?
C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
Design Cover Story BUT MISLEADS THE ADVERSARY
Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
Planning Plans to use Denial tactics and Deception tactics
Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning Denial tactics: MASKING REPACKAGING DAZZLING RED FLAGGING
Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
Planning Deception tactics: MIMIC INVENT DECOY DOUBLE PLAY
Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
CYBER KILL CHAIN Recon Weaponize Exploit Control Execute Maintain
CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
• Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
Finishing Touches…
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.
Cyber D&D

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processes
Glen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)
Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
Nur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 

Recommended

Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Options based decisions processes
Options based decisions processesOptions based decisions processes
Options based decisions processes
Glen Alleman
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)Programmatic risk management workshop (handbook)
Programmatic risk management workshop (handbook)
Glen Alleman
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
Nur E Alam Siddike
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
Glen Alleman
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
Samuel Gher
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
Association for Project Management
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Ricardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
Rick Lemieux
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 
Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possession
bethantaylor99
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small Business
Sophia Royle
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & Valves
Peter Wilson
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
Post Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
In a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
Kirsty Hulse
 

More Related Content

What's hot

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
Glen Alleman
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
Samuel Gher
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
Glen Alleman
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
Association for Project Management
 
Root causes
Root causesRoot causes
Root causes
Glen Alleman
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Ricardo Viana Vargas
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
Rick Lemieux
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 

What's hot (16)

Agile project management and normative
Agile project management and normativeAgile project management and normative
Agile project management and normative
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Risk analysis
Risk analysis Risk analysis
Risk analysis
 
Notional cam interview questions (update)
Notional cam interview questions (update)Notional cam interview questions (update)
Notional cam interview questions (update)
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
 
Root causes
Root causesRoot causes
Root causes
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk AnalysisAdopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
 

Viewers also liked

Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possession
bethantaylor99
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small Business
Sophia Royle
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & Valves
Peter Wilson
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
Post Planner
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
In a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
Kirsty Hulse
 

Viewers also liked (6)

Tarzan & The Possession
Tarzan & The PossessionTarzan & The Possession
Tarzan & The Possession
 
The Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small BusinessThe Big Benefits of Outsourcing Your Small Business
The Big Benefits of Outsourcing Your Small Business
 
LianFa Pipes & Valves
LianFa Pipes & ValvesLianFa Pipes & Valves
LianFa Pipes & Valves
 
How to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media PlanHow to Build a Dynamic Social Media Plan
How to Build a Dynamic Social Media Plan
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 

Similar to Cyber D&D

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
Resilient Systems
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
Spartan60
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
festockton
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kit
bronxfugly43
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
JayeshGadhave1
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
Chris Mullins
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids
Sudhir Upadhyay
 

Similar to Cyber D&D (20)

5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
Introduction to data science
Introduction to data scienceIntroduction to data science
Introduction to data science
 
Assignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docxAssignment You will conduct a systems analysis project by .docx
Assignment You will conduct a systems analysis project by .docx
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
SY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation KitSY0-701 Dumps | SY0-701 Preparation Kit
SY0-701 Dumps | SY0-701 Preparation Kit
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
7. using planning & decision aids
7. using planning & decision aids 7. using planning & decision aids
7. using planning & decision aids
 

Recently uploaded

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 

Recently uploaded (20)

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 

Cyber D&D

  • 2. Shut Up Carl! DENIAL Prevent adversary from gaining useful information
  • 3.
  • 4. Influence another to behave in a way that gives the deceiver an advantage, creating a causal relationship between psychological state and physical behaviour Denial: prevents target from gaining information & stimuli Deception: provides misleading information & stimuli
  • 5. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D Techniques
  • 6. TABLE 1. D&D methods matrix. Deception objects Deception: Mislead (M)- type methods Revealing Denial: Ambiguity (A)- type methods Concealing Facts Reveal facts: Nonessential elements of friendly information • Reveal true information to the target • Reveal true physical entities, events, or processes to the target Conceal facts (dissimulation): Essential elements of friendly information • Conceal true information from the target • Conceal true physical entities, events, or processes from the target Fiction Reveal fiction (simulation): Essential elements of deception information • Reveal false information to the target • Reveal false physical entities, events, or processes to the target Conceal fiction: Nondisclosable deception information • Conceal false information from the target • Conceal false physical entities, events, or processes from the target
  • 7.
  • 8. Denial prevent detection of essential elements of friendly information (EEFI) -> hiding what’s real hide the false information -> the nondisclosable deception information (NDDI) -> protect the D&D plan
  • 10. Deception induce misperception -> using the essential elements of deception information (EEDI) -> show what’s false show the real information -> nonessential elements of friendly information (NEFI) -> enhance the D&D cover story
  • 11. Better you don’t think about it right now ;)
  • 12. Deception chain • Analogous to Lockheed Martin’s “cyber kill chain” model. • Deception chain adapted from Barton Whaley’s 10-step process for • Planning • Preparation • Executing deception operations • Facilitates integration of 3 systems: • Cyber D&D • Cyber intelligence • Security operations
  • 14.
  • 15. Helps enterprise managers define strategic, operational, or tactical goal i.e., the purpose of the deception and the criteria that would indicate the deception’s success Purpose
  • 16. C llect Intelligence WHAT the adversary will observe?
  • 17. C llect Intelligence the adversary might interpret it? the adversary might react to it? to monitor adversary’s behavior? HOW
  • 18. C llect Intelligence Source of Intelligence: framework that combines all the related information about a particular intrusion into a set of activities. Intrusion Campaign Analysis
  • 19. C llect Intelligence Source of Intelligence: might involve government, private industry, or non-profit organizations. Threat-Sharing Partnerships
  • 20. Design Cover Story Cover Story is what the defender wants the adversary to perceive and believe.
  • 21. Design Cover Story The D&D planner considers • critical components of the operation • assess the adversary’s observation and analysis capabilities • develop a convincing story that “explains” the operation’s components observable to the adversary
  • 23. Design Cover Story The D&D planners decide • What information must be hidden • What information must be revealed
  • 24. Planning Plans to use Denial tactics and Deception tactics
  • 25. Planning WHY DENIAL TACTICS? D&D planners analyse characteristics of real events & activities that must be hidden to support deception cover story, identify corresponding signatures that would be observed by adversary, and plan to use denial tactics to hide signatures from adversary.
  • 28. Planning WHY DECEPTION TACTICS? D&D planners analyse characteristics of notional events & activities that must be portrayed and observed to support cover story, identify corresponding signatures the adversary would observe, and plan to use deception tactics to mislead the adversary.
  • 30. Planning D&D planners turn the matrix cell information into operational activities that reveal or conceal the key information conveying the cover story.
  • 31. Preparation D&D planners design the desired effect of the deception operation and explore the available means and resources to create the effect on the adversary. Thus coordinates with security operations on timing for developing the notional and real equipment, staffing, training, and other preparations to support the deception cover story
  • 32. Execute If the deception and real operational preparations can be synchronized and supported -> then D&D planners and security operations must coordinate and control all relevant preparations to execute deception cover story
  • 33. Monitor Monitors • Both friendly & adversary operational preparations • Carefully watching the observation channels and sources selected to convey the deception to the adversary • Adversary’s reaction to the performance,” i.e., the cover story execution.
  • 34. Reinforce At times, the D&D planners may need to reinforce the cover story through additional deceptions, or to convey the deception operation to the adversary through other channels or sources. The planners may have to revisit the fist phase of the deception chain, execute a backup deception, or plan another operation
  • 35. MALICIOUS ACTORS FOLLOW A COMMON MODEL OF BEHAVIOR TO COMPROMISE VALUABLE INFORMATION IN A TARGET NETWORK.
  • 36. CYBER KILL CHAIN Attackers generally employ a cyber attack strategy, divided into the six phases described below, called the cyber kill chain or kill chain.
  • 38. CYBER KILL CHAIN & DECEPTION CHAIN • Unlike cyber kill chain, deception chain is not always linear • Progression through the phases can be recursive or disjoint • The deception chain is also applicable at each phase of the cyber kill chain
  • 39. CYBER D&D MATURITY MODEL Provides a blueprint that organizations can use to assess, measure, and increase maturity of their current cyber D&D operations and develop specific cyber D&D innovations
  • 40. CYBER D&D MATURITY MODEL • Must function in concert with the organization’s overall defensive operations and must support cyber defense • Represents the overall approach to managing cyber D&D capabilities and operations from the perspectives of capability and operations and services
  • 41. • Tools • Threat data • Shared repositories • Metrics databases • Fine-tune deployments • Monitor observables • Collect field reports • Collect metrics • Outcome analysis • D&D improvements • Feedback to planning Increasing maturity of cyber D&D people, processes, and techniques Plan Revise plan for next iteration Post- deployment analysis Deploy and execute Prototype 1 Prototype 2 Prototype 3 Implement • Establish D&D goals • Training curricula • Cyber D&D TTTPs • Best practices and standards • Cyber D&D metrics Spiral D&D Life-Cycle Management Process
  • 42. Spiral D&D Life-Cycle Management Process Helps an organization assess risks & effectiveness with each iteration of the spiral while promoting agile and rapid prototyping as well as tuning of D&D techniques and services based on observed outcomes
  • 43. Spiral D&D Life-Cycle Management Process incorporate cyber D&D into active cyber defense • establishing clear and achievable program goals • The planning phase should include • establishing D&D program goals • developing • training curricula • cyber D&D TTTPs • cyber D&D best practices and standards • cyber D&D metrics
  • 44. Spiral D&D Life-Cycle Management Process • In the implementation phase, the organization will start to plan based on the goals and actions from the previous phase. The plan must address both the “what” and the “how.” • organization must deploy and execute cyber D&D TTTPs, services, and supporting processes in a target environment such as a honeynetwork or a honeypot, the real cyber infrastructure, or some combination • At each iteration, the organization must evaluate the risks and effectiveness of the current prototype
  • 45. Spiral D&D Life-Cycle Management Process • Post-deployment analysis, the last phase in the spiral, has 3 essential elements: • Outcome analysis • Process improvements • Feedback. • Outcome analysis centers on the overall outcome of the current spiral, addressing questions such as: › How effective were the cyber D&D techniques developed and operationally deployed? › What were the successes and failures? › How well did the organization manage the total life-cycle costs within the spiral?
  • 46. To answer these questions… • Organization must analyse metrics data and file reports, using the results to formulate specific D&D improvements in processes, services, and technologies. • Requires careful attention to managing change for all of the D&D elements.
  • 48. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Purpose & Collect Intelligence Stages • Models for strategic D&D objectives can be built from both offensive and defensive perspectives • Game-theory models could help analyse moves and countermoves to produce promising TTTPs for cyber D&D.
  • 49. Research & Technology Challenges Cover Story Stage • it is important to create believable deception material to attract the adversary’s interest • Network and host-based deception material such as honeypots, crafted documents, and email are referred to as honeytokens
  • 50. Research & Technology Challenges Plan Stage • What moves has the adversary made? • To what extent do these moves signal the adversary’s intentions? • Which baits have worked well, or not? • What is the adversary’s sphere of interest?
  • 51. 2D framework 1st dimension Relates to information (fact or fiction) 2nd dimension Relates to actions or behaviours (revealing or concealing) D&D TechniquesResearch & Technology Challenges Preparing & Executing Stage • can be made more scalable and efficient by leveraging existing tools and training materials. • A standalone “honeypot in a box” product might be developed to adapt to an organization’s network structure with a truncated setup time. • Novel ways of training personnel in cyber D&D technology are also important, such as simulated intrusions and response
  • 52. Research & Technology Challenges Monitoring Stage • Tracking honeytoken files is helpful in the monitoring stage, and can involve watermarking to alert defenders to an intruder
  • 53. Research & Technology Challenges Reinforce Stage • Technical and operational metrics are needed to continuously improve cyber D&D operations • These measure the precision and believability of honeytokens in that they attract the intended target and are readily mistaken as real.
  • 54. Conclusion Cyber D&D should be part of the national cyber strategy… The national center of gravity program must facilitate a strategic “working group” to begin developing national cyber D&D plans, formulate US government policies, create programs, and establish goals and objectives within the strategy.