George Finney, CSO for Southern Methodist University and the author of No More Magic Wands: Transformative Cybersecurity Change for Everyone.
The University of Michigan was in the midst of a blowout against Rutgers University during the 2015 football season. In the second quarter, Michigan was leading 35 to 13 and had just intercepted the ball and was beginning to march back downfield. It was second down with seven yards to go. The offense huddled to discuss the upcoming play, while several players left the field and a few new ones were swapped in to take their places. Tight end Jake Butt followed the players leaving the field, but stopped just short of the sidelines and lined up as a wide receiver. The play began and Butt was wide open, running for 56 yards before being stopped just short of a touchdown.
Michigan coach Jim Harbaugh was no stranger to trick plays. Prior to Michigan, Harbaugh was the coach of the San Francisco 49ers. In the final game of the 2011 season, the 49ers were down 10-3 on fourth down in the third quarter. Harbaugh called a timeout and began yelling at his offensive line. From the outside, it looked like he was preparing his players for an all-out run, putting it all on the line to stay in the game. It was just a show. Harbaugh called a play action pass, and the 49ers went on to win the game 19-17.
Deception is a natural part of sports. Players learn to juke, feint, bluff or run gambits. Sports are full of trick plays designed to outwit opponents. It’s also a natural part of cybercrime. But just like cybercriminals have adopted deception as a technique to hack their victims, individuals, communities and corporations can follow suit, using deception to protect themselves against cybercriminals.
Deception is a valuable way of validating identity. It can help detect unexpected activity, as well as help prevent malicious activity from occurring. But deception, by its very nature, means that we must embrace unpredictability. This, in turn, decreases the chances of becoming a victim of a cybercrime.
Unpredictability requires effort. In his book, The 48 Laws of Power, Robert Greene writes that although humans (unlike animals) have the power to break out of routines, most humans prefer the comfort of repeating actions, which require no effort. When we train people to answer password challenge questions, for example, we tell them to lie. If your challenge question asks what city you were born in or what your favorite restaurant is, you can make up something completely unrelated, like Snowy Porcupine, as your response. Having a prepared answer for a password challenge question requires preparation and planning. It requires you to have a system for keeping track of your own deceptions.
Today, honeypot technologies have been developed that allow companies to set up deception-based networks automatically and aren’t limited to just creating virtual computers. They can create fake accounts that no one should log in to, and create fake tokens or virtual customer sessions that no one should be able to access. Many honeypot technologies are detective in nature, meaning they act like a tripwire to find out when someone has gone where they shouldn’t and set off alarm bells. But they can be used for other reasons. TrapX Security is a great starting point.
Modern deception technologies allow security teams to create and recreate whole deception networks in real time. They can extend to the cloud, where security teams lack visibility. They can be used to help visualize an attacker’s path into the network and provide greater insights into their capabilities or motives. And they can lure attackers away from where the important data really is. But, they can also go to far, alienating users.
Using deception in the office or in sports requires you to strike a careful balance. In the Michigan game, Butt was called for a 15-yard penalty and the 56-yard gain was walked all the way back. The penalty was called for a “substitution with the intent to deceive.” The NFL rulebook contains a whole section called “unfair acts,” and the trick play that Harbaugh designed was almost exactly as it is described in the unfair acts section. It turns out that, although most offensive plays are intended to deceive the offense, Harbaugh crossed that line. How do you know when you’ve crossed the line?
I’ve learned the hard way using simulated phishing campaigns on my campus. It’s easy to create a fake email that looks like a legitimate business email. While it’s true that hackers don’t have to follow rules, security teams need to ensure they don’t go too far when “tricking” their users. We always send an email a week or two in advance of a campaign to give people a heads-up. As security practitioners, we need our users to trust us. Ultimately, using deception should create more trust with the business, not less.