Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Elements of disinformation theory: cyber engagement via increasing adversary information consumption

Travis Cuvelier, Sean Ha, Maretta Morovitz

TL;DR

It is proposed that, based on an understanding of the adversary’s control theoretic goals, cyber threat intelligence (CTI) provides the defender knowledge of the adversary’s preferences for information acquisition, and a strategy for adversary engagement within the "honey" control system to increase the adversary’s costs of information processing.

Abstract

We consider the case where an adversary is conducting a surveillance campaign against a networked control system (NCS), and take the perspective of a defender/control system operator who has successfully isolated the cyber intruder. To better understand the adversary's intentions and to drive up their operating costs, the defender directs the adversary towards a ``honeypot" that emulates a real control system and without actual connections to a physical plant. We propose a strategy for adversary engagement within the ``honey" control system to increase the adversary's costs of information processing. We assume that, based on an understanding of the adversary's control theoretic goals, cyber threat intelligence (CTI) provides the defender knowledge of the adversary's preferences for information acquisition. We use this knowledge to spoof sensor readings to maximize the amount of information the adversary consumes while making it (information theoretically) difficult for the adversary to detect that they are being spoofed. We discuss the case of imperfect versus perfect threat intelligence and perform a numerical comparison.

Elements of disinformation theory: cyber engagement via increasing adversary information consumption

TL;DR

It is proposed that, based on an understanding of the adversary’s control theoretic goals, cyber threat intelligence (CTI) provides the defender knowledge of the adversary’s preferences for information acquisition, and a strategy for adversary engagement within the "honey" control system to increase the adversary’s costs of information processing.

Abstract

We consider the case where an adversary is conducting a surveillance campaign against a networked control system (NCS), and take the perspective of a defender/control system operator who has successfully isolated the cyber intruder. To better understand the adversary's intentions and to drive up their operating costs, the defender directs the adversary towards a ``honeypot" that emulates a real control system and without actual connections to a physical plant. We propose a strategy for adversary engagement within the ``honey" control system to increase the adversary's costs of information processing. We assume that, based on an understanding of the adversary's control theoretic goals, cyber threat intelligence (CTI) provides the defender knowledge of the adversary's preferences for information acquisition. We use this knowledge to spoof sensor readings to maximize the amount of information the adversary consumes while making it (information theoretically) difficult for the adversary to detect that they are being spoofed. We discuss the case of imperfect versus perfect threat intelligence and perform a numerical comparison.

Paper Structure

This paper contains 5 sections, 3 equations, 1 figure.

Table of Contents

  1. Introduction
  2. Organization
  3. Related work:
  4. Notation:
  5. System model and problem formulation

Figures (1)

  • Figure 1: The scenario of interest. We assume that we have successfully lured an adversary into engaging with a "honey PLC", believing its sensor outputs to be authentic. The adversary's malware carries out reconnaissance and processing "locally" on the defender's network. The malware is tasked with selecting and quantizing a subset of the available sensor feeds and reporting to a remote C2 server for further analysis. We refer to the malware running on the defender's network as the adversary's "local agent", and the remote C2 server as the "remote site".