RSA 2022: The Road to Adversary Engagement

There has been a lot of attention on offensive cyber operations the past week at RSA 2022 – especially since U.S. Cyber Command confirmed that the U.S. has gone on the offensive on behalf of Ukraine.  

But adversary engagement isn’t limited to high-profile military operations or international conflict. At last week’s RSA Conference, experts from government and industry came together to discuss the benefits of practicing denial and deception at any organization – benefits long understood here at Broadcom Software.

To kick off their panel, “The Road to Adversary Engagement: Get Your Organization from 0 to 88 MPH,” the experts helped the audience understand the difference between denial – stopping a cyberattack in its tracks – versus deception, which is the strategy of inviting a controlled, isolated cyber intrusion in order to learn from it.

Dr. Stan Barr, Senior Principal Researcher at The MITRE Corporation, described deception as a mental process – rather than a tech stack – by which an organization’s security team decides what they want to present to their adversaries and what they want them to see and think. It also involves how to drive them, based on what they see and think, into doing activities that are beneficial for the organization. It could be a setup as simple as a single “victim” laptop, or as complex as an entire imaginary office – all intended to lure an attack on dummy data, under the close supervision of security personnel.

At the very least, a deception campaign aims to expose an actor’s tactics, techniques, and procedures (TTPs), as well as the type of data they are attempting to steal – all of which is incredibly valuable to an organization’s security strategy. In an ideal situation, a well-executed campaign might even reveal an adversary’s identity.

Sounds fun – but should we be talking about this?

In stark contrast to the first rule of Fight Club, the experts agree we should be talking about adversary engagement. It might seem counterintuitive – why would we want our adversaries to know we might be luring them into a trap? – but there are two clear benefits to being open about these practices.

First, not only is all the information gleaned from deception invaluable to the organization itself, but it is also useful for the entire community. Organizations are encouraged to share as much of their findings as possible, not only with law enforcement to try to catch these bad actors, but also within trusted information sharing communities to help other entities prevent similar intrusions.

The second benefit is the element of deterrence. If criminals know organizations are carrying out deception campaigns, they might be less inclined to use cyberattacks as a method of intelligence gathering. After all, no one wants to waste their time, let alone get caught in the act. “That’s the utopia of behavior change we hope to see,” said Barr.

Okay – but is this legal?

While there’s something that might feel slightly shady about deploying malware and initiating a cybercrime, FBI Special Agent Tony Rogers informed the RSA audience that it’s all perfectly legal – as long as it’s carried out on the organization’s own network. The Department of Justice will not prosecute on these activities.  

I also like to live dangerously. How can my organization get started?

Panelist J.R. Manes, a former FBI agent who today serves as Global Head of Cyber Intelligence at HSBC, provided a few hot tips for organizations looking to pursue adversary engagement.

First, Manes emphasized that deception is not something an organization should jump into. Security teams should prioritize fundamentals like multifactor authentication, patching, and phishing controls. Once an organization has the basics down, then adversary engagement is something it can add to a defense-in-depth model.

Security personnel should also ensure they have safety controls in place so they don’t damage the internet, let alone their own organizations. HSBC’s security team has 24/7 monitoring and controls over their deception activities, even from their cell phones, so things don’t go off the rails.

As a general tip, the panelists re-emphasized the importance of strong, trusting public-private information sharing relationships. Manes and Rogers also advised organizations to get to know their local FBI office, which can provide resources in the event of an attack – but only if they know an organization exists.  

However, while the FBI should be part of an organization’s incident response plan, it shouldn’t be the whole plan. Organizations need to assume that criminals are in their network, said Barr, and they’ve been there for a while. They should be asking, “What do you do, and how do you find them?”

And adversary engagement is an important tool in that security toolbox. After all, said Manes, “It’s fun to waste bad guys’ time.”

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.