The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
October 25, 2016
The Anatomy of Good Deception
Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for.
There are three elements of deception. To see these elements in action, we need look no further than a few notable cases — including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election.
Let’s take a look at the three elements of effective deception.
1. Plan and Prepare
The key is to create a storyline that’s mostly true – and that requires research. Research makes it possible to understand both the target of the deception and its target audience. Before fabricating communication between two parties (perhaps with the intent to leak information), your research must indicate they are likely in contact in the first place. All of the other elements of style must match too, or the deception will be revealed.
As an example, I use Domain Generation Algorithm-based malware to track command-and control-servers. Attackers know this kind of surveillance is done, so some of them try to camouflage their C2s to look like sinkholes and security researchers. They research what headers or fingerprints are used, what malware families they are interested in, and other data so they can craft an operational plan to make their C2 look like a security researcher.
2. Craft a Narrative That Is Credible — but False
You need a carefully crafted narrative that’s believable. A plausible narrative will play into the biases of your target audience. It also involves finding an environment where deception can thrive. For example, rumors about politicians are so effective because people are already predisposed to think poorly of politicians.
Most deception can be detected easily when there is readily available information to verify its authenticity. For example, the Syrian Electronic Army once hacked the Associated Press Twitter account and planted a false story about an explosion at the White House. Hilarity did not ensue. This graph of the Dow Jones index (from The Washington Post) shows the immediate impact of this one tweet.
The markets saw a precipitous drop for 5-10 minutes. Trading returned to normal almost immediately once the hoax quickly came to light. After all, the “explosion” could immediately and easily be deemed a hoax with no lasting impact.
3. Deceive in Moderation
Use deception only when it counts. Dump lots of false narratives and the source will eventually (and quickly) lose credibility. Once we spot a pathological liar, we never trust anything from them again – even when it’s true. For example, if the Podesta emails that mention extraterrestrial intelligence were obviously false, the entire document dump would be discarded.
These three elements can be helpful in figuring out what will happen in the wake of the alleged state-sponsored document dumps. Assuming the leaks are from Russians and this is, in fact, a propaganda operation, the adversary knows how to deceive and does it well. They’ve done the research, they’ll choose a narrative that is mostly true and hard to disprove. Then, they’ll lie only when it really counts and the deception will be contained in a dump of mostly real information.
So what would the ramifications be? Time will tell, but if the actors are potentially trying to affect the outcome of the election, they’ll know the retaliation for the attack could be severe if the target, Secretary Clinton, becomes president.
-John Bambenek, Manager, Threat Systems
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.