Command and Control (C2)

Deception Tradeoff Analysis is a persistent C2 task that spans the mission planning stages through mission conclusion/termination. In the context of a deception, the tradeoff analysis involves identifying the effect that currently used deception meth-ods have on the attacker, versus an impact that the applied deception solution has on normal mission operations. This analysis may also include a cost component, or the amount of human and technical resources required for the deception deployment and the maintenance.

The first part of the tradeoff analysis, assessing an effect on an attacker, should start at deception planning and design stages with a clear definition of deception goals and objectives. In the cyber-context, the goals and expectations can be expressed through description of the projected attacker’s follow-up actions that can be detected/tracked by available monitoring sensors. Each event may be assigned a numerical importance factor. Matching these formally expressed expectations against actual observed events should bring a solid quantified effect measurement.

The complimentary suggested approach is based on the OODA loop (Observe, Orient, Decide, and Act) concept. OODA is a cyclic process model, proposed by Boyd [13], by which an entity reacts to an event. The purpose of deception, in the context of having an effect on the attackers, is to slow down the “observe” and

“orient” stages of the attacker’s OODA loop. Observed changes in attack patterns can be interpreted as start/end points of the current attacker’s OODA loop. By measuring the time length of each loop, we may be able to infer the degree of the effect that the applied deception methods have on the attacker.

A projected effect on the attacker can also be measured through deception testing and attack simulation. For example, in our recent deception R&D efforts sponsored by the Air Force Research Laboratories (AFRL), we use nmap penetration testing tools to project an effect of our anti-reconnaissance techniques on external network topology discovery. We devise an effect quantification formula that factors in the following:

• Complexity of a real network topology: a set of observable network elements and corresponding network parameters,

• Complexity of configured deception topology schema: e.g., topology that we present to an attacker,

• The difference between real and falsified topology: we define it as a distance of deception maneuver, and

• Resulting deviations: difference between network reconnaissance tools output and the configured deception schema.

We then assess deception effectiveness by calculating a ratio between distance of deception maneuver and the resulting deviation.

The second part of the tradeoff analysis, the impact on user operations, can be measured (if applicable) by assessing the loss of productivity of the mission personnel, occurring network performance degradation, service interruptions, etc.

Again, it is important to set clear metrics and tolerable mission thresholds for impact measurement during the deception planning and design stage.

2.2.1 Deception Design and Planning

Joint Publication 1–13.4 [4] defines deception planning as “an iterative process that requires continual reexamination of its objectives, target, stories, and means throughout the planning and execution phases : : : The MILDEC planning process consists of six steps: deception mission analysis; deception planning guidance; staff

deception estimate; commander’s deception estimate; Chairman of the Joint Chiefs of Staff estimate review; deception plan development; and deception plan review and approval.”

This chapter focuses on deception design. The workflow of the deception design process is described in Sect. 2.3. This section outlines the expectations and requirements for deception planning and design. One of the most important inputs to the deception design is a mission context that is a result of the mission analysis performed as a part of deception planning. Joint Publication 3-12(R) [9]

defines a mission context as a combination of “current and predictive knowledge of cyberspace and the Operation Environment (OE) upon which Cyber Operations (CO) depend, including all factors affecting friendly and adversary cyberspace forces.” Important elements of the mission context are the mission’s cyber assets, network assets for defense and recovery, communication channels, data feeds, user interfaces, mission capabilities (e.g., critical systems, alternative paths, backups, etc.), constraints, and boundaries and limitations that affect potential ranges of deception, stemming from the needs of providing transparent mission operations.

In our deception design paradigm, we also consider factors that include:

• a specific mission network and application context,

• enterprise network setup (scale, device types, topology, typical configurations),

• dependencies and operations use cases (command and control context, mission task list),

• computing environment (operating systems, anticipated services, public and private cloud, etc.),

• cyber asset and importance factors,

• installed security modalities (firewall and configurations, intrusion, etc.),

• metrics (security metrics for analysis and test and evaluation, performance metrics, etc.), and

• workflow (where deceptions reside in the Air Task Order (ATO) production, for example).

2.2.2 Situation Awareness and Run-Time Centralized Configuration Control

Once the planning and design process is complete, the Deception Plot is developed and deployed, defining where and when the deception execution cycle must take place. The process of execution involves two basic functions, assessing and control.

“Assessing involves the receipt and processing of information concerning the MILDEC operation, and control entails making iterative decisions and issuing instructions until termination. The deception plan is the basis for execution, but execution may take place in conditions that are more dynamic than the plan anticipated” [4]. One of the key requirements of situational awareness is a clear understanding of the existing Operational Environment during mission operations.

Joint Publication 3-12(R) [9] defines the Operational Environment (OE) as a

“composite of the conditions, circumstances, and influences that affect the employ-ment of capabilities and bear on the decisions of the commander”. Some of the cyber OE elements include but are not limited to: network outages or degradation, detected intrusions/attacks/indicators of compromise (IoCs), unauthorized activity, alerts/threat information, current network traffic analysis, etc.

Joint Publication 1–13.4 [4] defines the six principles of MILDEC that provide guidance for planning and executing MILDEC operations. These six principles are:

• Focus: The deception must target the adversary decision maker capable of causing the desired action(s) or inaction(s).

• Objective: Cause an adversary to take (or not to take) specific actions, not just to believe certain things.

• Centralized Planning and Control: MILDEC operations should be centrally planned and directed.

• Security: Deny knowledge of a force’s intent to deceive and the execution of that intent to adversaries.

• Timeliness: A deception operation requires careful timing.

• Integration: Fully integrate each MILDEC with the operation that it is supporting.

Mission commanders continuously monitor changes in the OE and make ad-justments. Hence, deception design should implement the capabilities to perform dynamic changes in the deception story, according to changing conditions. Such ca-pabilities can only be efficiently provided through a centralized deception command and control infrastructure that will enable:

• Deployment and dynamic configurations for deception scenarios, and

• Dissemination, synchronization and coordination of network deception events and attack responses across the whole mission environment.

Joint Publication 3-12(R) [9] states that the “C2 of : : : defense cyber operations (DCO) may require pre-determined and preauthorized actions based on meeting particular conditions and triggers, executed either manually or automatically if the nature of the threat requires instantaneous response.” The design of an effective cyber deception system should include capabilities to perform all three types of C2 operations:

• Man-in-the-loop—allowing a manual run-time deception scenario update.

• Autonomous mode—using pre-configured rule-based deception policy for trig-gering deception responses.

• Man-on-the loop—supporting context-aware capabilities whereas different rules might be applied to the same input/stimuli depending on current operational context and situational awareness considerations. Man-on-the-loop allows for run-time context rule updates.

Fig. 1 Deception design work flow loop