Inside a NATO AWACS plane during a patrol over Romania and Poland in 2014.

Inside a NATO AWACS plane during a patrol over Romania and Poland in 2014. AP Photo/Frank Augstein

Science & Tech

NATO Experiments With Deceptive Tactics to Lure Russian Hackers

Latest cyber wargame shows new uses for honeypots, which have worked against the Russians in the past.

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

Imagine you’re a young cyber officer in the Russian military looking to break into the defended network of a NATO government. You identify a target, a person whose credentials you could steal to gain access to the network and then perhaps move from node to node, looking for sensitive information to exfiltrate. You send your target a phishing email. The target clicks the link. You’re in! But later on, you learn that the information you stole was meaningless and you may have exposed your own techniques or tools. Your adversary wanted you to succeed in the hack — to get information on you

This is the value of honeypots, a deceptive cybersecurity practice that NATO used as part of its most recent exercise, NATO Cyber Coalition, which took place in Estonia and other locations from Nov. 16 to 20.

The exercise, coordinated through Estonia’s Cyber Security Training Centre, brought in more than 1,000 participants. Previous exercises have strived to mimic real-world challenges, such as Russian hybrid warfare techniques. 

This year, “We put [out] machines that are sacrificial, that are what we call honeypots or honeynets,” said Alberto Domingo, a technical director for Cyberspace at the  NATO Supreme Allied Transform Command on a call with reporters and other observers on Friday. “The idea is that the adversary will find it easier to attack these machines without knowing and they will do that and we will be preserving the information for NATO and interacting with this adversary.”

This experiment took the concept a further than standard use of deception techniques, he said by “working with the adversary without his knowing...in order to derive: ‘what is their behavior?’”

The objective is to collect intelligence on the adversary without their being aware of it. “It’s answering the questions of who is the adversary? What type of adversary are we talking about? What do they want and what are they going to do next?” said Domingo. 

The use of honeypots by governments is a relatively recent phenomenon.

In April 2017 Deborah Frincke, then NSA’s director of research, discussed how her agency had also begun to experiment with deceptive tactics as a means of gathering intelligence on adversaries. 

During a breakfast put together by the National Defense Industry Association, Frincke said that a lot of commercially available cybersecurity software gave adversaries too much room to explore its vulnerabilities. It was too easy, she said, just to buy a copy of the software and hunt for an attack that didn’t set off obvious alarms. 

“There are ways we can get defenses right and ways we can get defenses wrong. So if you always put out a system that always tells an adversary always when they’ve beaten it, that’s probably not the most productive way to proceed. If they sometimes will get feedback that’s incorrect, deceptive, that might be a better thing,” said Frincke. She said the NSA was looking at “Where might we go in terms of understanding defenses. We might think about defensive deception, for instance.” 

Frinke said honeypots can give you a window into the adversary’s mindset. They can help answer such questions as “what will the adversary tend to do? How long will they keep at a task before they move? Can we use that to determine between a [human] adversary and an automated system?…Can we make them go away, worn out, or become indecisive? That’s getting at what is the cognitive load of the system we’re throwing at them. Can we give them a little more information that might actually be counterproductive to them, especially if it’s sometimes wrong? So you can start playing those games of what the adversary is actually doing…and think about it from a psychosocial standpoint, how much does that buy you?” 

Just a month after Frincke gave that talk, Russian GRU actors attempted to breach the presidential campaign of French politician Emmanuel Macron. But unlike the DNC in 2016, the French had advance warning that they were targets. Macron’s team set up their own honeypot defense. 

“We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” the campaign’s digital director Mounir Mahjoubi told the New York Times.  “I don’t think we prevented them. We just slowed them down,” Mahjoubi said. “Even if it made them lose one minute, we’re happy,”

Ian West, the chief of NATO’s Cybersecurity Centre, wouldn't say whether NATO currently employs honeypots in real-world settings. “We can’t go into what we do or don’t do in terms of our tactics,” West said. “We use every defensive means that’s available to us in order to defend our networks.”

But according to Frincke, the NSA conducted a series of internal exercises, which led to some surprising findings. “Does attacker awareness of defensive deception change its effectiveness? By and large,” she said, “it doesn’t.”

Don't miss:

NEXT STORY: US Army Wants Data Analytics to Spot ‘Emerging Tech Leaders’

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.