Cyber Security: Using Cyber Deception to Fight Off Our Attackers — Who is Our End of Level Boss?
Too often cyber security is biased to a technology centric consideration of threat actors and their techniques, but as with all threat actors they are humans too! They have to make decisions, feel things, get excited or irritated and deal with a range of different emotions when they are doing what they are doing. Do they get panicked or frightened? Do they get a rush of excitement when they gain access to a system or when a tool of theirs finds something interesting? Do they get the buzz of the chase? If you have answered yes to any of the above, then why is it we never seem to consider the decisions and emotions of the cyber attacker and how we can use them to our advantage as defenders?
Forcing the attackers to ragequit
If we look across to the computer games industry, there are lessons we could learn and opportunities we could explore as to whether they will help us with our cyber defence fight. There has been lots of discussions about the concept of “rage quitting” and there are even some game designers that take great pride in developing stages of games that are so frustratingly difficult or almost impossible to win that players quit the game when they are about to lose or feel they are going to lose.
You can even watch videos on Youtube of people getting so frustrated that they damage their screens, keyboards, their properties or themselves as they ragequit (https://www.youtube.com/watch?v=1SdtvZ-Lrh0 — be warned bad language and violence included!)
….So could we not bring this thinking across into cyber security and get the attackers to ragequit? How can we design our cyber security defences and present a series of different stages to the attacker as they progress through our networks and systems such that they get a sense that they are losing, that they want to throw their keyboard through the screen. We can bring concepts of psychology and behavioural economics and integrate them into our technical fight just as they bring them into computer game design. We can give the attackers the equivalent of in-game end of level bad guys and impossible challenges to face. We can design in and can give them challenges that get them frustrated and cause them to consider giving up — ge them to think that surely there are easier targets out there? We can get them to question how good their skills are and to doubt their own abilities or question the competencies or motivations of their team mates?
Who is Our End of Level Boss?
There is so much more we can do to explore this space and make our networks so much more frustrating for our attackers. Who do you want to be in this fight? Do you want to be the person who sweeps up the mess after the attackers bursts through or do you want to be a in-game end of level boss taking on the attackers and frustrating the hell out of them?
All of this can be enabled and achieved through the use of deception in cyber defence.
Early stages of thinking on designing defences for cyber deception that exploit the cognitive space can be seen at:
Ashenden, D. et al (2021), Design Thinking for Cyber Deception, Proceedings of the 54th Hawaii International Conference on System Sciences | 2021 https://scholarspace.manoa.hawaii.edu/items/1a433b5b-6682-4faf-a3c8-808960ef575c
To discuss this further or explore what might be useful, feel free to get in touch!
