By Salvatore Stolfo on Apr 18, 2016 12:00:00 AM
Growing up as a bookish squirt with an unhealthy fascination with the advertisements in the back of Boy’s Life, I kept a dream list of all the things I wanted to buy, like a “secret book safe” that “looks like an attractive book” but is really “a combination lock safe for valuables” or a joke camera that’s real purpose is to squirt someone in the eye. I kept a tally of how much allowance I’d have to save to get each one. As someone small and largely not in control of my life, I was fascinated by the idea of deception: fooling someone into underestimating me, keeping something secret, or appearing to possess some ability I didn’t. No one had to tell me that deception was a powerful tool.
Of course something like deception appealed to me as a child. According to the Theory of Deception, the way it works is that the deceiver manipulates the environment of the victim to to spur the victim to take a desired action, but one the victim would unlikely take without the manipulation. It doesn’t require you to be bigger or more powerful, only more creative. It’s the tool of the underdog.
Human beings have been engaging in deceit forever. From the invention of smoke screens during the Peloponnesian War to Sun Tzu rocking the ancient bestseller list, people have been perfecting the strategies of subterfuge. Even the natural world is full of these examples: the modest hoverfly keeps predators off its back by looking exactly like a wasp, domestic cats learning to make their meows sound like a baby’s cries to manipulate humans into paying attention to them.
When people hear “deception” they tend to picture crooks and scammers, but in the world of cybersecurity using trickery and ruses to protect one’s data is the new hotness. It’s an age-old tactic, but in a world where breaches are blamed on lack of power and lack of imagination ,using a it-takes-a-thief-to-catch-a-thief mindset has become increasingly popular. Even Gartner has given its stamp of approval by naming the field Deception Technology.
What is it about deception technology that has security pros excited? It’s because it uses an attacker’s worst impulses against him. Magician Dariel Fitzkee breaks down how this works, using magic as a metaphor:
The true skill of the magician is the skill he exhibits in influencing the spectator’s mind. This is not a thing of mechanics. It is not a thing of digital dexterity. It is entirely a thing of psychological attack. It is completely a thing of controlling the spectator’s thinking. Control of the perceptive faculties has nothing whatever to do with it. Convincingly interpreting, to the spectator, what the senses bring to him, in such a way that the magician’s objectives are accomplished, is the true skill of the skilled magician.
- Deception is about understanding the way that someone else perceives the world and manipulating their perceptions, which means it's all in the head. No matter the tools or the ruse, deception is ultimately a brain game. The attacker's brain vs. the defender's brain. Even our virtual world has been built by human minds. And although our firewalls and antivirus solutions are generations ahead of where they were a decade ago, any spear-phisher will tell you that the defenses of the human mind haven’t evolved much.
Researchers, history and security geeks have long known of deception’s value in security, but enterprises are now realizing that security has to evolve beyond building walls to keep people out. Security has to get more creative.
Thinking about the psychology of an attack - and human behavior - is one of the things that most excites us here at Allure, and we’ve been thinking about these sort of creative solutions to the technical arms race of hacking for a long time. Whether it’s learning how to bait attackers into taking worthless files instead of valuable ones, or how to use disinformation offensively, uncovering insider attacks, or how deception can protect your mobile device. Our techniques have also been written about by industry analysts, who have a lot of interesting things to say about deception security.