Fraud and deceit – deception techniques used in nature are copied in cyberspace

Entrapment, fraud and deceit happen everywhere – plants and animals have the required abilities. Lying and deceit are everyday events and occur in an infinite number of forms. The techniques used by various species can be used to deceive attackers in cyberspace.

Defensive mimicry [Huheey] occurs among plants and insects in particular. A familiar example from the natural world would be hoverflies, whose colouring mimics bees, wasps or hornets. In the natural sciences, this is known as Bates’ mimicry, which involves a mimic and a mimicry model. Through evolution, a harmless and defenceless species develops warning signals resembling those of another species, and are aimed at the enemies of both the mimic and model. Alternatively, similarity can attract pollinators that normally pollinate other species with a certain appearance. In the case of Müller’s mimicry, dangerous species such as wasps and hornets appear to mimic each other. Other, similar examples can be found. Around 300 spider species have been identified around the world which, to predators, resemble bad-tasting ants found in the same environment. In addition, some cricket species, such as Macroxiphus, resemble ants.

Camouflaging is another form of deception found in nature. This involves a species evolving over time to resemble its normal environment, or evolution enabling a species to change its appearance to blend in with its surroundings. Good examples of the first group are the mossy leaf-tailed gecko (Uroplatus sikorae) which resembles a tree trunk and Ctenomorphodes chronus which looks like a eucalyptus twig. The chameleon is an example of the second group. Some species, such as the Burmeister’s leaf frog (Phyllomedusa burmeisteri), can play dead when threatened while others, like the viviparous lizard (Zootoca vivipara), can break off a piece of their tail.

Over millions of years, many organisms have evolved to mimic the appearance, sound, or other features of other species, or are able to fool predators in other ways, such as by playing dead. However, they do not practice deception voluntarily: their fraud and deception are the results of evolution. This is because looking for example more dangerous than they really are has helped their ancestors to survive and therefore reproduce.

Some animals also deceive and mislead others voluntarily. Cats arch their backs to look bigger when they feel threatened and fork-tailed drongos (Dicrurus adsimilis) can make a range of noises . This species can mimic the warning sounds of over 45 other species in order to drive them away from their food, before taking the food themselves. Gorillas can use unfair tactics to fool others in children’s games. Tufted capuchins (Cebus apella) have a strict hierarchy, based on which those with the highest status eat first. These intelligent monkeys use calls to warn fellow tufted capuchins that danger is approaching.

Forms of deception are unlimited

How do these issues relate to computers and the digital world? In his dissertation, James Yuill [Yuill] has defined cyber deception as follows: planned actions taken to mislead attackers and to thereby cause them to take (or not take) specific actions that aid computer-security defences. You can hear and see more about these topics in our webinar (on VTT’s website) and in our following blog posts on the subject.

Lying and cheating are commonplace among people. This takes an unlimited number of forms. On first dates, people often try to create the best possible impression, by omitting certain matters or telling small, white lies. When travelling, we may use fake wallets in case of pickpockets . Advertising and marketing are continuously used to deceive people. Think about how great products look on television, magazines, or online. Your image of the product may change completely when you buy it and start actually using it. In practice, deception have always been a part of war, even if the forms this takes and techniques used have changed somewhat over time. Everyone is sure to remember the Trojan horse, but what about the inflatable tanks used to deceive the enemy in the Ghost Army during the Second World War ? Armies continue to use inflatable vehicles for the same purpose.

In cyberspace, the same techniques from the animal world or other walks of life can be used to deceive opponents or, more accurately, attackers. We can manipulate the system we are defending to look other than it is, draw attackers into various traps, make our system appear vulnerable or broken, or even try to scare attackers off in various ways.

 

Teemu Väisänen VTT
Teemu Väisänen

Research Scientist, Cyber Security VTT
teemu.vaisanen(a)vtt.fi
http://.vtt.fi/cybersecurity

 

[Huheey] James E. Huheey, “Studies in Warning Coloration and Mimicry. VII. Evolutionary Consequences of a Batesian-Müllerian Spectrum: A Model for Müllerian Mimicry”, Evolution, Vol. 30, No. 1 (Mat., 1976), sivut 86-93.
[Kettunen] Niko Kettunen, ” Sieppodrongon kielitaito ei rajoitu pakkomangustiin”, HS Tiede, https://www.hs.fi/tiede/art-2000005010185.html
[Väisänen] Teemu Väisänen, ”Kyberansojen ja -harhautuksien 101 (lyhyt versio)”, VTT blog, https://vttblog.com/2017/11/16/kyberansojen-ja-harhautuksien-101-lyhyt-versio/
[Suikkanen] Päivi Suikkanen, ”Historia: Haamuarmeija”, 25.09.2014, https://yle.fi/aihe/artikkeli/2014/09/25/historia-haamuarmeija  
[Yuill] James Joseph Yuill, ” Defensive Computer-Security Deception Operations: Processes, Principles and Techniques”, PhD väitöskirja, Pohjois-Karoliinan yliopisto, https://repository.lib.ncsu.edu/bitstream/handle/1840.16/5648/etd.pdf  

Huiputusta ja harhautusta – kybermaailmassa toistuvat eläinten käyttämät huijaustekniikat

Ansoittamista, huijaamista ja harhauttamista tapahtuu kaikkialla – tämän osaavat niin kasvit, eläimet kuin ihmiset. Valehtelu ja huiputus ovat arkipäivää, ja niiden ilmenemismuotoja on rajattomasti. Myös kybermaailmassa hyökkääjien huijaamiseen voidaan soveltaa eläinmaailmassa nähtäviä tekniikoita.

Voimme muokata järjestelmämme näyttämään joltakin muulta, tehdä siitä haavoittuvan näköisen tai houkutella hyökkääjät syöteillä ansoihin. Suojaavaa yhdennäköisyyttä [Huheey] esiintyy etenkin kasveilla ja hyönteisillä. Eläinmaailmasta mieleen saattavat tulla kukkakärpäset, jotka näyttävät väritykseltään ampiaisen, mehiläisen tai herhiläisen kaltaisilta. Tällaista kutsutaan luonnontieteissä Batesin mimikryksi, mimiikaksi (engl. mimicry) ja matkimismalliksi. Siinä puolustuskyvytön laji on kehittynyt evoluution myötä siten, että sen varoitussignaalit muistuttavat toisen lajin varoitussignaaleja, jotka kohdistuvat molempien lajien vihollisiin. Toisaalta yhdennäköisyys voi houkutella vaikkapa pölyttäjiä, jotka normaalisti pölyttävät toisia tietyn näköisiä lajeja. Vastaavia esimerkkejä on muitakin.

Toinen luonnosta löytyvä harhauttamistapa on naamioituminen (engl. camouflaging). Siinä laji on kehittynyt ajan myötä esimerkiksi näyttämään normaalilta ympäristöltään, tai evoluutio on mahdollistanut jopa ulkonäön muuttamisen ympäristöön sopivaksi. Miljoonien vuosien aikana monet organismit ovat kehittyneet siten, että ne näyttävät matkivan muiden lajien ulkonäköä, ääntelyä tai muita ominaisuuksia tai osaavan huijata petoja. Ne eivät kuitenkaan huijaa vapaaehtoisesti, vaan huijaamiselta tai harhauttamiselta vaikuttavat keinot ovat evoluution tuloksia. Syy tähän on se, että esimerkiksi itseään vaarallisemmalta näyttäminen on auttanut pysymään hengissä ja siten myös lisääntymään.

Jotkut eläimet huijaavat ja harhauttavat myös vapaaehtoisesti. Kissat nostavat selkäänsä näyttääkseen suuremmilta tuntiessaan itsensä uhatuiksi, ja sieppodrongoilla (Dicrurus adsimilis) on monipuoliset ääntelytaidot [Kettunen]. Ne voivat matkia yli 45 muun lajin varoitusääniä ajaakseen muut pois ruuan äärestä ja saadakseen ravinnon itselleen. Gorillat osaavat huijata käyttämällä epäreiluja taktiikoita lasten peleissä. Kapusiiniapinoilla (Cebus apella) on tiukka arvojärjestys, jossa korkea-arvoiset saavat syödä aina ensin. Nämä älykkäät apinat osaavat varoittaa lajitovereitaan vaaroista huudoilla. Alempiarvoiset kapusiiniapinat tekevät myös valehälytyksiä, joilla ne ajavat ylempiarvoiset karkuun ruoan ääreltä. Toisinaan ne valehtelevat piilotetun ruoan sijainnista viittomalla väärään paikkaan tai jättävät kokonaan kertomatta asiasta. Tšeladapaviaanit (Theropithecus gelada) taas saattavat pettää partnereitaan ja pyrkiä piilottamaan asian niiltä.

Huijaamisen muotoja rajattomasti

Miten nämä asiat liittyvät tietokoneisiin ja digitaaliseen maailmaan? James Yuill [Yuill] on määritellyt kyberhuijaamisen väitöskirjassaan seuraavasti: se on järjestelmien suojaamiseksi suunniteltuja toimia, joilla johdetaan hyökkääjiä harhaan siten, että he tekevät tai jättävät tekemättä tiettyjä toimenpiteitä.

Kybermaailmassa vastustajien tai ehkä oikeammin hyökkääjien huijaamiseen voidaan käyttää samoja eläinmaailmassa tai muualla nähtäviä tekniikoita. Voimme muokata puolustettavan järjestelmämme näyttämään joltakin muulta kuin se on, houkutella hyökkääjiä erilaisiin ansoihin, tehdä järjestelmästämme haavoittuvan tai rikkinäisen näköisen tai vaikka yrittää pelottaa hyökkääjiä eri tavoilla.

Mitä tulee meihin ihmisiin, valehtelu ja huijaaminen ovat arkipäiväisiä. Muotoja on rajaton määrä. Yritämme antaa mahdollisimman hyvän kuvan itsestämme ensitreffeillä jättämällä asioita kertomatta tai matkustaessamme saatamme käyttää valerahapusseja taskuvarkaiden varalta [Väisänen].  Kun ostat tuotteen ja pääset käyttämään sitä, kuva tuotteesta voi muuttua täysin siitä miltä se näytti televisiossa, mainoslehdessä tai netissä.  Sodissa huijaamista ja harhauttamista on käytetty käytännössä aina – muodot ja tekniikat ovat vain hieman kehittyneet ajan myötä. Kaikille tulee varmasti mieleen Troijan hevonen, mutta esimerkiksi toisessa maailmansodassa haamuarmeijan (Ghost Army) [Suikkanen] puhallettavilla tankeilla pyrittiin huijaamaan vihollisia. Armeijat käyttävät puhallettavia kuljetusvälineitä edelleenkin huijaamiseen.

Kybertuvallisuudesta voit kuulla lisää webinaariesityksessämme  sekä seuraavissa aiheeseen liittyvissä blogiteksteissämme.

Teemu Väisänen VTT
Teemu Väisänen

Research Scientist, Cyber Security VTT
teemu.vaisanen(a)vtt.fi
http://.vtt.fi/cybersecurity

 

[Huheey] James E. Huheey, “Studies in Warning Coloration and Mimicry. VII. Evolutionary Consequences of a Batesian-Müllerian Spectrum: A Model for Müllerian Mimicry”, Evolution, Vol. 30, No. 1 (Mat., 1976), sivut 86-93.
[Kettunen] Niko Kettunen, ” Sieppodrongon kielitaito ei rajoitu pakkomangustiin”, HS Tiede, https://www.hs.fi/tiede/art-2000005010185.html
[Väisänen] Teemu Väisänen, ”Kyberansojen ja -harhautuksien 101 (lyhyt versio)”, VTT blog, https://vttblog.com/2017/11/16/kyberansojen-ja-harhautuksien-101-lyhyt-versio/
[Suikkanen] Päivi Suikkanen, ”Historia: Haamuarmeija”, 25.09.2014, https://yle.fi/aihe/artikkeli/2014/09/25/historia-haamuarmeija  
[Yuill] James Joseph Yuill, ” Defensive Computer-Security Deception Operations: Processes, Principles and Techniques”, PhD väitöskirja, Pohjois-Karoliinan yliopisto, https://repository.lib.ncsu.edu/bitstream/handle/1840.16/5648/etd.pdf  

Learning about information security – the hard way or through anticipation and practice?

Information security is an increasingly important part of the lives of both private individuals and companies and organisations. You can learn secure practices and ways to minimise threats in many ways. However, it is important to consider what you would need to learn and how you can best learn those particular matters.Kyberturva

The least you can do is learn from your own mistakes. When an information security threat is realised, it is important that, once the dust has settled, you analyse the situation. You can then draw conclusions from this analysis and improve your contingency planning in the future. Unfortunately, often such learning experiences become costly (technical repairs, penalty charges, claims for damages, trials) and awkward (reputation) for companies. The forthcoming EU General Data Protection Regulation (GDPR) may further increase the price of such lessons.

Learning from mistakes made by others is often cheaper and far less stressful. Therefore, it is important to follow media coverage related to information security within your sector and collect additional information on interesting cases and cases that best coincide with your own operations. It is also advisable to go through such coverage more extensively with the persons or parties who might have the most to learn from the cases.

Generally speaking, an organisation’s activities should be based on rational risk analysis and the measures to be applied to the most important or biggest identified risks, where threats related to information security are only part of the overall picture. The measures needed may include technical and financial measures, and steps related to the organisation’s processes. Even in a major organisation, the information security may depend on the actions of an individual IT system user. Basic information security skills belong to everyone, and they may not yet be part of general knowledge, but they certainly will be in the future. When the foundations are in order, each organisation can build its own information security guidelines and practices on top of them.

Training is useful, but it must not be the only way of trying to address information security threats. In a well-functioning information security system, technical tools support the users, help them operate correctly, and are capable of containing damage when a user makes a mistake. Despite all training, mistakes do happen – that is only human. This is good to acknowledge at all levels of the organisation. Many companies consider cyber threats a serious problem for themselves, but very few of them have provided sufficient training to their employees or practised how to operate under an imagined cyberattack situation.

This is clearly problematic, because practising is an important part of learning. Without training and practice, it may be difficult for the employees to understand why any cyberattacks would be targeted against them, what kind of attacks could be launched against companies through the mistakes they might make, and what kind of consequences these might have for the company. As realistic practising as possible is one of the best ways of learning operating models that best serve your own needs as well as those of your organisation, and to find potential weaknesses before the damage is done. Persons at every level of an organisation should practise against cyber threats.

Naturally, the content of training and practising is different for people working at different levels of the organisation, and therefore a wide range of training is provided. The courses and exercises may focus on a single theme only, such as how to limit the amount of data in public services that can be used for attacks or how to detect social manipulation. They can also teach the use of technical monitoring tools of various systems or how to conduct digital criminal investigation. Training can be given in the form of lectures or it can be hands-on training at the keyboard. In the exercises, the teaching is not always targeted to the staff of a single organisation only, but people can also practice communication both within organisations and with external actors, and cooperation between different organisations. This may include communication with information security companies, customers, partners and National Cyber Security Centre Finland of the Finnish Communications Regulatory Authority (FICORA). The largest exercises may involve several countries and organisations operating in them.

Of course, no kind of training can guarantee 100% functional protection against different attacks. And no technology can prevent all cyber threats. However, a staff with good basic skills provides better protection against many attacks, and people who have practised handling of crisis situations are better capable of managing the consequences of a possible serious data breach than an organisation that has not made any such preparations. It is important that you keep the level of your organisation’s competence and contingency planning at a sufficient level in the changing threat environment. You should also learn these things by practising them in advance rather than the hard way after a major crisis.

Download our new cyber security report for free and get acquainted with how companies can raise their cyber security level and protect themselves against cyber threats.  Kimmo Halunen VTT

Kimmo Halunen
Senior Scientist
Twitter: @khalunen 

Teemu Väisänen VTT

Teemu Väisänen
Research Scientist

When the cyber weather forecast gets gloomy, everyone should get prepared

Cyber security

In the modern society computers are embedded everywhere and automation affects our daily lives in several ways. Networked computers control even the most critical infrastructures such as electricity, water distribution, and traffic. Our dependency on these networks also bring risks: we are more vulnerable than ever to cyber attacks. At worst cyber threats spreading via computer networks could weaken or even cripple our society.

In order to maintain cyber safety, professionals of various industry domains should get diverse training. Learning new skills enables preventing potential cyber attacks. It also helps to detect spying attempts toward critical corporations and civic functions.

Dark clouds hanging from the cyber sky

Cyber weather is revealed for example via active alerts on the Finnish Communications Regulatory Authority’s web site. Cyber weather is said to be unstable for example when following warnings are in effect:

  • denial of service attacks
  • blackmailing malware
  • infected office files
  • spying attempts
  • hoax and scam messages

Ultimately it is up to the skills of stakeholders in charge of infrastructure services, whether the citizens get their electricity, clean water, fuel, heating, groceries, medicine, and other vital commodities regardless of the current cyber weather.

That being said, everyone should get personally prepared. In unstable cyber weather you shouldn’t trust even the messages coming from known business partners. MS Office attachments from a familiar company can contain Powershell commands added by an attacker. In such case even the high-quality security procedures of your company do not necessarily warn you.

Hopefully the thunder and the rain will quietly pass you by. After the threats have been investigated and neutralized, you can start to trust your business partners again.

Uncertainty is the new normal

We are already living in a constant threat of communication malfunctions and cyber security threats. Uncertainty has become the new normal. Only the ones who take this seriously are safe. It is risky to trust those who don’t care about security.

The infrastructure takes daily hits from cyber spying. Motives for spying vary: crippling computer networks, infiltrating electricity network control systems, blackmailing hospital personnel, or breaking into real estate remote management systems.

After spying attempts it becomes possible to actually enter the critical systems. Even the most secure systems can be hacked, if enough time and resources are available. Bad guys have the most modern attacking tools and services at their disposal, especially if the target is financially interesting enough for blackmailing.

The attacks are also tailored to match security systems and processes of the target. Focused attacks take advantage of any procedures bypassing the company’s firewalls. They can utilize for example employees’ privately used devices.

Better safe than sorry

Investing in cyber security skill development should be applied on all levels. Naturally the stakeholders of our most critical infrastructures and their know-how play a key role. However, it is necessary to ensure enough resources for various officials and support co-operation between them. Also the parliament should understand the widely spread security issues.

When the topics are as severe as mentioned in this blog post, it does not hurt to get prepared for the worst. In the case of a serious cyber attack breaking through our protective layers, what would happen and what should we do? Pre-emptive planning is in the core. For example:

  • carrying out cyber security testing for industrial systems
  • investing in critical backup systems
  • identifying and preventing illegal spying and attacks
  • countermeasure training and management

The weakest link can cause all protective layers to tumble. That is why development and pre-emptive actions must take place on all fronts. In any weather conditions, better safe than sorry.

Download our free report on cyber security and learn how to protect your organisation and defend against security incidents.

Pasi Ahonen VTT

Pasi Ahonen
Principal Scientist