Deception Tree Model for Cyber Operation

Abstract

Modern cyber operations are evolving from direct attacks and defense to complex cyber operations that involve deception. As deceptions is included in cyber-attacks and defenses, elements should be identified to respond to cyber operations. If appropriate countermeasures can be taken for identified elements, they can gain a strategic advantage in cyberspace. Related cyber research includes developing response tools for attackers from a defensive standpoint and developing attack techniques that exploit human cognitive vulnerabilities. Other research has classified tools according to their purposes and has studied procedures for effectively carrying out deception. However, existing studies neither consider specific objectives nor classify in complex cyber operations. Classifying in cyber operations requires dividing cyberspace into physical, logical, and persona layers, the targets of cyber operations should be identified from machines to humans, and procedures should be identified from TTPs to objectives. In response, this paper proposes a deception tree that can be categorized from a cyber-deceitful TTP perspective. The tree model can distinguish targets from humans and machines in terms of attack and defense and systematically establish the effects, tactics, techniques, and procedures of selected targets. Three cases were applied and analyzed to verify the performance of the tree model. The first case is the cyber incident that occurred at KHNP in 2014 in which a deceitful attack was conducted on humans, the second case is using Honeynet technology to deceive the attacker, and third case is using Anti-Ransomware technology to deceive malware.