I recently finished reading Reverse Deception: Organized Cyber Threat Counter-Exploitation by Bodmer, Kilger, Carpenter, and Jones. When I purchased the book, I was a little hesitant because of the current and former positions the authors have held. I know that, with topics such as those in this book, the pre-publication review process has the potential to significantly limit the interesting bits that can be included. However, the general book description and my interest in Psychology pushed me over the edge to purchase the book anyway. While I’m generally happy with the book, I think the back cover was slightly misleading regarding the level of technical material in the book. I don’t think it detracted from the book, but the primary focus is a high-level conceptual overview of the topics at hand.
The foreword and chapter 1 do a great job of setting the groundwork for the rest of the book. For those with absolutely no Intel/CI background, this is a great description of the major topics in the book. For me, one of the most important points is that deception is not simply about deceiving the adversary. Instead, deception is most beneficial if you can alter the adversary’s actions in such as way that play to your benefit. I was definitely glad to see the reference to APTs as a WHO and not a WHAT (but, more on that later…), as well as the differentiation between APTs and PTs. Chapter 1 finishes up with short descriptions of a variety of purported APT campaigns and classified each according to the 9 proposed characteristics that can be used to determine if you’re potentially dealing with an APT. Those characteristics are objectives, timeliness, resources, risk tolerance, skills and methods, actions, attack origination points, numbers involved in the attack, and knowledge source. Whether or not you’re able to discern those characteristics will depend on numerous factors.
Chapter 2 moves more in to some of the psychological background of deception and introduces a variety of maxims and biases to keep in mind while exploring deception. These ensure a deception operation is carried out successfully and to its maximum effectiveness. I was particularly interested in the glass half-empty/half-full paradigm. The authors start with possible reasoning for both standard answers and then move in to “totally-full” option. Beyond that, the authors propose to more potential solutions to the problem, but the basic premise is to show how bias can potentially destroy an effective deception.
Chapters 3 and 4 provide a great introduction counter-intel fundamentals and applies those to the cyber realm through the 9 characteristics mentioned above and provides guidance on determining each characteristic and some basic tools that can be used to do so. The authors examine the 19 competencies identified and published by the Office of the National Counterintelligence Executive (NCIX). An interesting point, which the authors point out, is that the U.S. is the only known country to have publicly published such a study. The second primary topic of these two chapters is profiling. Again, there’s a historical description of criminal profiling and a good explanation of the fundamentals, followed by a description of how these apply activities online. One of the great things about this book is that there are plenty of references given to read more about almost every topic covered in the book.
Oh, if you want to be able to ever have a chance at doing anything mentioned in the second half of the book, make nice with your organizational lawyers, become friends, explain things to them, and perhaps grab them a coffee every now and then. That’s chapter 5.
The remainder of the book focuses on designing and implementing an operational deception within your organization. The primary tool discussed for doing so is a honeypot/honeynet. The authors focus on following the principles described earlier in the book in order to implement an effective deception operation. The authors use a variety of altered case studies to demonstrate how a deception can be implemented and the potential effect of doing so. In my opinion, not many organizations have a mature enough security program (or business relationships…) to be able to implement the proposed measures, let along effectively. That doesn’t discount the methods and techniques, but most shouldn’t expect to be able to immediately apply the principles in the book. Perhaps starting with some of the easier steps (such as planting decoy documents for detection) would be a good starting point for most.
The only real grudge I have with the book is the use of one term. In the first paragraph, I noted that the authors clearly stated that APT isn’t a what. Not a specific piece of malware, tool, etc. However, several times throughout the book, I noted some terminology used throughout the book that suggested otherwise. For instance, the authors use statements such as “…to assist the APT maintain access”. I also remember, though failed to note the specific quote, a statement about sending an APT. I’m not sure if this is a product of multiple authors, but it was enough to pick up on the potential for different views throughout the book. I would have preferred if the views had been explicitly stated.
Overall, I think the book is a worthwhile read for anyone interested in Psychology, new to Intel/CI or adversary research, or professionals looking for options for potentially implementing an operational deception in the workplace. As stated, the book provides a great introduction and a plethora of references for further research on the topic. If you’re looking for a playbook for implementation, this isn’t it, though I’m not sure that exists. If you want a framework to consider during implementation, this will be a good read.
Side note: I didn’t go strait through all the chapters because there have already been a couple great reviews of the book that present an overview of the the specific topics discussed throughout the book.