Recap We briefly highlighted 4 considerations related to Industrial networks: (1) Safety, (2) Availability, (3) Realism, & depending on our strategic goals, (4) Secrecy that we should be mindful throughout the planning & execution. Part 1 introduced 3 Phases of Cyber Deception Campaign. We need to consider Safety aspects related to Industrial networks carefully at of (below) & Availability of feedback channels is a critical aspect of the entire campaign. Step 6 Figure 1 This part two deals with to achieve for the types of Threat Actors we wish to engage. But first thing first... Figure 1 - Step 2 & 3 Realism How to Plan & Measure Success? Benjamin Franklin said: . Even with planning, things may not go well, **we need to establish ways to quantify success.**From , we see it ultimately leads to indications of Threat Actors in a state of (1) , (2) & (3) , of which we can gather & count to measure success or failure. “If you fail to plan, you are planning to fail!” Figure 1 Believed Suspected Unbelieved To lure ( ), it is appropriate to measure the occurrences of attackers showing indications of . Let's say we expect the attacker to read a fake network diagram ( ) within a file & to use the information to proceed to the next target ( ). Figure 1 > Step 1 - strategic goal Believed Step 2 - should react step 2 - desirable reaction , of which we could have forgotten to consider during planning. It is better then to improve quickly, e.g. embed tracing methods within the file & turn that type of event into a desirable reaction! Instead, attackers uploaded the file & stopped advancing, which could be a sign of Suspected For early deterrence or diversions, it makes more sense to state soonest, or they hit the "right" target (diversion), clean-up & exit network. make attackers back off by creating Unbelieved believed Regardless of your strategic goals, at some juncture attackers may reach either or state within their offensive . Suspected Unbelieved OODA loop A complete success is when attackers follow through the entire story thinking that they have achieved their objectives. Achieving success requires a convincing story together with a well-designed maze that exploits attackers’ mental bias. So what makes a “convincing” story? And “convincing” for who? It leads us to the next point, how well do you know your adversaries? Estimation of Threat-Actors Instead of boring you with various academic taxonomies related to motivations & other marketable personifications. Let me suggest an estimation in terms of their ability to adhere to or OPSEC in short. This can be inferred through monitoring the feedback channels since we don’t have Neuralink plugged into the adversaries' heads. Offensive Op erations Sec urity OPSEC from a defensive standpoint refers to a term derived from the US Military. It is a process used to deny a potential adversary or a threat, any sort of critical intelligence that could jeopardize the confidentiality and/or the operational security of a mission. Threat Actors also observe OPSEC in their campaigns to ensure mission success by working under the radars. The more advanced the actors are, the more skilled to test if they are in a maze. A table for comparison: Threat Actor “Types” Estimation of OPSEC Level Cognitive Level & Bias Novice Easily observable & “noisy” Low. Tend to believe systems responses & feedbacks. Intermediate . Able to recon without being observed easily. Still observable if the networks are well-defended with good detection engineering. Mid The in-betweens. Likely trained to assume they are being watched & have playbooks that observe OPSEC. Advanced . Very skilled & well resourced to be capable of disarming sensors. High Able to see through situational quickly. Very careful bunch. All these depends on “observability”, how much visibility do we have on the endpoints & networks, & how the signals are sent back to us. Poorly designed feedback channels that novice & intermediate actors can tamper, disable & evade means poor estimations will follow. We need to consider the actors’ profile, to design a story, plant information &/or system responses to FEED their Confirmation-Bias. Earlier on, I shared an example of attackers uploading file & not advancing. They could very careful or just cybercriminals making a quick buck by selling info. If they come back again, it means they believed the fake network diagram. Using a quote from Bruce Schneider (a famous security cryptographer): Only amateurs attack machines; professionals target people Which will lead us to the next question: How do they get in?
