Air Force Investing in Deceptive Cyber Technology


Once an adversary successfully enters a network, the name of the game is damage mitigation. And this is why the Air Force is interested in deceptive cyber tools.

The Air Force Research Lab in Rome, New York, recently awarded a $750,000 grant to Galois to develop advanced network cyber deception technology.

“This topic seeks to provide new and novel approaches to delaying, disrupting and deceiving adversaries engaged in active network reconnaissance,” the Air Force’s three-phased Small Business Innovation Research proposal stated. “There is a need for secure, infrastructure agnostic, solutions designed for cyber agility and anti-reconnaissance.”

The Air Force requested a solution that:

  • Effectively prevents traffic analysis.
  • Implements evasive and deceptive techniques such as misreporting source and destination IP and/or MAC addresses, and intermittently changing those addresses.
  • Prevents an adversary from determining the direction or volume of information moving within a network.
  • Prevents an adversary from understanding the size or topology of a network.
  • Prevents, detects and ceases communication with non-compliant or rogue clients.

The idea behind the technology that Galois is building maintains the assumption that there is an adversary on the network, or there will be. And so the company plans to feed this assumed adversary false information and false directions, according to Adam Wick, research lead at Galois, who spoke to Fifth Domain about the product.

Adversaries are going to make it onto networks, Wick insisted, and so it’s important their job be made as difficult as possible once they get a foothold. This can be done by throwing false information and pointing them toward traps, he said, all in an effort to minimize damage and bide time for defenders to eradicate the threat.

The solution, called Prattle, will generate fake network traffic patterns mimicking real browser sessions to hide the location of important servers versus unimportant servers, Wick said. Prattle differs from traditional honeypots — or segments of a network designed to court and trap adversaries — because traditional honeypots typically don’t generate traffic beyond automated traffic. In other words, honeypots don’t generate humanlike traffic and thus can be easily identified by adversaries to not be genuine.

Every 10 to 15 minutes, Prattle will initiate a web session pretending to search for something. It’ll pull down the page, pull down the fonts, scripts and images just like a real web browser, and sign out, Wick said. The signatures look just like a user using Google Chrome, even estimating how quickly the average adult reads a page before clicking on another link.

“If you’re an adversary observing this traffic, it looks like someone is on the computer browsing the internet. It does everything like a real browser,” Wick noted.

Additionally, Prattle can replicate encrypted traffic and replicate humanlike browser sessions, masking actual network activity by maintaining the same tempo regardless of the actual user. For example, it can create enough traffic to disguise things like operational tempo so that the network always looks the same 24 hours a day, 365 days a year regardless of the traffic situation in reality, Wick said.

“What we’re trying to do is mask that and tempt people to go after targets that aren’t as important or are traps so they’re wasting their time, giving us a chance to get them before they get us,” he said.

Prattle can act as and even bolster existing network tripwires. By making certain servers look more attractive than others, if there’s a hit, it alerts network defenders that there could be an intruder on the network. Prattle also can generate documents with known signatures, so if defenders see those signatures leaving the network it tells them someone was there. The signatures also act as a marker, allowing the culprits to be tracked after the deed.

Despite running constantly on the network, Prattle will be invisible to normal network users.

The Air Force Research Laboratory issued a similar opportunity over the summer.

The Air Force noted in its opportunity last July that military deception includes actions “executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.”

The military has used deception as a tool for thousands of years, the Air Force said, in one way or another. These tactics have included camouflage, feints, chaff, jammers, fake equipment, false messages or traffic. As officials have worked to apply doctrine to the cyber domain, many have described how age-old truisms from the physical world are also relevant in the digital space.

“It is believed that deception techniques, working in conjunction with normal cyber defense methods, can alter the underlying attack process, making it more difficult, time consuming and cost prohibitive,” the notice said. “Modern day military planners need a capability that goes beyond the current state-of-the-art in cyber deception to provide a system or systems that can be employed by a commander when needed to enable additional deception to be inserted into cyber operations.”

While the Air Force seems to be the only service component within the Department of Defense to express interest in these technologies, Wick noted they’re still relatively new. He said the intelligence community is very interested in these capabilities, adding that Galois has worked with the Defense Advanced Research Projects Agency on similar solutions in the past.

Additionally, the Intelligence Advanced Research Projects Activity has expressed interest in these capabilities, issuing a notice to industry last year.