By: Joseph Salazar
FAIR WARNING: SPORTS TALK AHEAD.
Taken broadly, football is a game of force on force, attacker versus defender, offense verses defense. In many ways, the game of football is a battle, warfare on the gridiron, and as Sun Tzu said, “All warfare is based on deception.” The Super Bowl is the ultimate deception battlefield. A monumental game that captivates a colossal global audience every year- viewership is expected to top 170 million in 2018 and a 30-second commercial spot will cost upwards of $5 million. In almost any town that has multiple sports teams with a history of success, football rules the roost (except in New York City, where the Yankees run the town). The sport has a day of the week all to itself. So, what does this have to do with deception, one may ask? As a matter of fact, plenty.
Arguably, no other team-oriented sport incorporates as much deception into the game as does football. The Defense employs deception to disguise coverages and rushes, implementing surprise blitzes and stunts to break up a play. Special teams make use of deception, faking punts and field goals to take advantage of an unprepared opponent or performing an unexpected onside kick to regain possession of the ball. Successful offenses rely on a football team’s ability to create nuanced formations at the line of scrimmage to disguise the type of play they will execute, deceiving defenses to call the wrong coverage formation. Every team has a set of trick plays in their playbook to keep the other team off balance. The most successful teams constantly look to leverage deception tactics to dictate the flow of the game.
Comparing football with cyberwarfare, one can see that the offense (the attacker) has a number of options to outmaneuver the defense (the security team). The defense must be able to read the situation and detect the offense’s point of attack to prevent them from advancing. The offense can shift direction and employ numerous tactics to bypass static defenses. For example, an attacker could send a phishing email that is crafted to look like someone an executive knows and trusts, deceiving them into opening it and infecting their computer. Another tactic would be to dress up as a delivery person to get physical access to a receptionist desk computer to connect a keylogger to steal passwords. The offensive players tend to be nimbler, altering points of attack as needed, blowing or sneaking past defenders to score a touchdown. To successfully prevent the offense from scoring, it is essential for a defense to adapt to the opposing team’s ever-changing playbook. The defense can flip the script and shift to an active defense, forcing the attacker into a defensive frame of mind. How? Through deception.
As in football, deception changes the asymmetry of the attack, and in cyberwarfare the battlefield is the network. A traditional perimeter-focused security infrastructure affords an attacker an advantage because the defender lacks visibility while the threat actor only needs to find a single weak point to slip through. Deception shifts this paradigm on its head, forcing the attacker to also be right all the time or risk detection.
By deploying decoys, lures, and breadcrumbs throughout the network, defenders can use deception to rapidly counter an ever-changing threat landscape instead of betting on the success of a static defense. This would be akin to a cornerback unexpectedly dropping back into coverage to intercept a ball, or a linebacker blitzing through an unprepared offensive line to sack the quarterback. The defender is where the attacker least expects him to be, tricking the attacker into attacking a target with no actual value, thwarting his game plan, slowing his ability to advance, and exhausting his resources. When the defense can force the offense to second-guess and hesitate, the advantage shifts to the defender. He can control the battlefield, force mistakes, disrupt the offense, and take over the game. Deception enables a defender to mount an active defense to gain a tactical and strategic advantage over an attacker. As in football, a successfully executed dynamic defense tricks the offense into making mistakes and, ultimately, losing the game. As legendary football coach Paul “Bear” Bryant said, “Defense wins championships.” With deception, this can be true for cybersecurity as well.