Air Force pursues advanced 'deceptive' cybersecurity tactics

The Air Force is working with industry to develop cybersecurity techniques that deceive and track attackers and intruders with techniques designed to confuse and gather information about the malicious actors.

The service has begun a two-year public-private agreement with Galois, a private firm specializing in cybersecurity and IT dynamics.

The partnership is employing a number of next-generation practices such as the use of deceptive techniques designed to lure and track cyber-attackers.

Senior Air Force cybersecurity experts often emphasize that advanced techniques are increasingly in demand as adversaries become more sophisticated with their attacks.

“We have to be aware that there are dangers out there. The adversary is constantly evolving, changing and trying to get into our systems and exfiltrate information,” said Peter Kim, Air Force Chief Information Security Officer.

Galois executives talk about it as a broadened or more sophisticated version of a “honey pot” tactic which seeks to create an attractive location for attackers – only to glean information about them.

“Honey pots are an early version of cyber deception. We are expanding on that concept and broadening it greatly,” Adam Wick, research lead at Galois told Defense Systems in an interview.  

A key element of these techniques uses computer automation to replicate human behavior in order to confuse a malicious actor hoping to monitor or gather information from traffic going across a network.

“Its goal is to generate traffic that misleads the attacker, so that the attacker cannot figure out what is real and what is not real,” he added.

The method generates very “human” looking web sessions, Wick explained. An element of this strategy is to generate automated or “fake” traffic to mask web searches and servers so that attackers do not know what is real.

“Fake computers look astonishingly real,” he said. “We have not to date been successful in always keeping people off of our computers. How can we make the attacker’s job harder once they get to the site, so they are not able to distinguish useful data from junk.”

Using watermarks to identify cyber behavior of malicious actors is another aspect of this more offensive strategy to identify and thwart intruders.

“If we see data with these watermarks, we know someone was sniffing on those networks. We can generate documents with known signatures to help discover advanced persistent threats,” Wick explained.