Knowledge Gap Impact with Deception Defenses

Capture the flag exercises show how quickly attackers can learn a new network environment to reduce their noise levels and evade detection.  This puts pressure on detection defenses in the first few hours or days when attackers are likely to be noisier.  This concept is known as the ‘knowledge gap’ and is often a key element in war games and cyber exercises.  As an attacker or adversary learns more about your environment they reduce their knowledge gap and become more effective and evasive.  The knowledge gap concept also been applied to a lack of cyber security talent and open positions, plus boardrooms and a lack of understanding for cyber security and risk.

The knowledge gap hypothesis was originally proposed by three University of Minnesota researchers in 1970 to explain that knowledge, like other forms of wealth, is often differentially distributed throughout a social system.  Their research reviewed the impact of mass media and how different levels of socioeconomic status tend to acquire information at faster rates to create a knowledge gap.  In traditional or cyber warfare, reconnaissance is an important skill where knowing about a desired target before and during an attack reduces the attacker’s knowledge gap and helps them effectively execute an attack.

So how can we increase the knowledge gap against attackers?

Knowing what attackers desire provides the opportunity for an active defense to lure, detect, and defend.  Deception defenses provide lures or breadcrumbs of desired information to attract attackers to decoys with highly interactive services designed to engage attackers.  Deception defenses need to be as realistic as possible to be effective and time consuming, plus dynamic in nature to expand the knowledge gap against attackers.  The more attackers engage and learn about a deception layer, the less they know about real assets, resources, and your data.

As noted in the beginning, capture the flag exercises show how quickly attackers can learn a network environment to reduce noise levels and evade detection. Fidelis Cybersecurity recently completed a capture the flag exercise with over 50 white-hat hackers challenged to find five pieces of information to solve the challenge.  The exercise included a deception layer with a variety of breadcrumbs and decoys.  Below is a chart showing the five phases of the exercise and how the number of commands is reduced even for increasingly more technical challenges.

The chart shows how the first challenge averaged 600 commands to find a piece of information on an infected system provided to challengers as their point of entry for the exercise.  Over the course of the five phases as the knowledge gap decreased, white-hat hackers reduced efforts to just 14 commands on average for the fifth and most challenging piece of information.

Interestingly, a mission brief was provided to participants before beginning the challenge with key information on how to obtain the first piece of information.  Those that read the brief clearly showed their research paid off with an average of less than 100 commands to obtain the first piece of information.  However, even those that ignored the mission brief had reduced their noise level and visibility significantly only by the fifth challenge.

What we learn from the exercise and knowledge gap concept is that attackers over time become quieter and are harder to detect.  Therefore, early detection is critical when attackers are the most exposed and in the process of learning a new network environment.  We can extend the knowledge gap against attackers with dynamic and intelligent deception defenses that engage attackers to divert and slow down their attacks, thereby providing critical time and extending the knowledge gap.

The next blog in this series we will address popular deception decoys and breadcrumbs from the capture the flag exercise.