Attackers, Distraction, Deception and Misdirection

Tuesday, February 03, 2015

Joseph Pizzo


Many of my associates who work in varying layers of security, on the corporate, vendor or SMB sides, often focus on “finding the bad guy.”

When it comes to security, be it data in motion, data in execution or data at rest, the bad guys often lurk in plain sight. They have the time and patience to wait for a distraction that allows their malicious activity to go by unseen.

The malicious actors have the time and patience to test and observe the common communications of a target network, look for flaws and act very quickly with tactics, techniques and procedures that have been previously mastered in a variety of test beds (

Distraction, deception and misdirection are three of the most valuable assets to the malicious actor.

The following, though an exercise in observation of physical security protocols, outlines how using distraction, deception and misdirection to break the standard procedures and find a way in to a protected target can relate to network, host and application security in so many ways.

As a frequent business traveler, I often have the opportunity to witness and experience the strange, funny, inconvenient and often uncomfortable. My guess is that many of us that travel as part of our work lives also witness and experience things that make us sit back for a second and quietly ponder “Huh? Did that just happen?”

One of these events took place quite recently. It was a cool November morning and I was in line behind about twenty people at a security checkpoint in terminal B at Newark airport. It seemed that there was a heavy security presence that morning, like TSA was checking and double-checking.

Bag screeners seemed to be meticulously watching everything that passed through the xray machine, other officers were yelling directions to all travelers – “Take off your shoes and jackets! Empty your pockets! No liquids more than 3 ounces allowed through the security checkpoint!”

I want to say that it seemed like hours, in reality it was a long 25 minutes. And that was for about for the first ten people among the twenty or so ahead of me.

Then the line stopped. Nothing was happening for about five minutes. I noticed that someone had been pulled off the line and had a bag check. Then I noticed Port Authority police show up. Apparently, whomever they stopped needed assistance or was in some kind of trouble.

Almost immediately, the line began moving again. This time the pace had increased significantly. The screeners seemed aloof and the barking of orders stopped, like the TSA agents were preoccupied.

I, and the rest of my line companions ahead and behind me, made it through the security checkpoint in about 5 minutes. I had my jacket, shoes and belt off. I also had my laptop, iPad and some miscellaneous items to collect and repack. It gave me a few minutes to observe the change.

What I noticed was that airport personnel, TSA officers and Port Authority police were gathered around the seated traveler. It didn’t look too bad, he seemed to be in good spirits, and in fact I couldn’t tell you if he was suspected of something, ill or otherwise.

I looked at the checkpoint and to my surprise the detailed oriented TSA officers that were previously screening bags, checking passengers through the Rapiscan and shouting orders and demands were now craning their necks to get a better view of what was going on with the detained passenger.

They even sent each other over occasionally to see what was going on and to get and bring back a report, more appropriately, gossip.


What was previously a slow moving ballet of security protocol now became a gaping hole in the airports first line of defense. At any point after the delayed or detained passenger was pulled off to the side any nefarious character could have slipped through with ease because ALL security personnel in the area were distracted and consumed with the events surrounding them.

I have taken this apart in my head several times often adding and removing variables. But to simplify what I witnessed, security personnel were distracted by a single event, opening up the protected infrastructure to additional attacks than can go unnoticed.

I have made this analogous to current security practices in meetings and presentations to call attention to a portion of the problem areas in most networks. Often I see a very busy security team that is stretched just as thin as they are busy. They have the responsibilities of identifying, tracking, responding and eradicating threats.

The eradication and investigation of threats often come to little, too late. These security professionals are more like the clean up crew. A breach has been identified, then the awareness of exfiltrated data, then the back track to the cause of the breach.

The threat is often put on a pile and a note of diligence is sent out to an unknowing group of end users that barely acknowledge the threat. I know, I am generalizing, but if you are reading this, you can easily fill in the blanks.

So how does distraction or misdirection work? Basically we are watching for the events that have or are occurring within the network. It is a good place to look. We also believe that we have our network devices fine-tuned to only allow certain communications through. This is another great methodology to adopt.

We are however in a position to allow of the ease of business, so we allow the end user to install a non standard application or we open holes in our firewall or gateway to allow for communication that better enable people to do their job.

We even allow partners and vendors access to our network when we don’t understand their security posture. We do our best. This is where we are left distracted. We allow for one area to pull our focus from another area that is equally important.

If we apply this to the network, this is where data comes in and out. I work with some of the best security professionals in the world and all they want is for the incoming data to be as equally safe as the outgoing data.

When we add threat intelligence, we add a layer of verified information that eases the fear surrounding the incoming and outgoing data. If we understand the potential threats that exist and apply this intelligence to the gateway, we become less of a clean up crew and more of a business support organization.

By understanding the threat with granularity, we attain a clarity that allows for the distraction to be less and less of  a gaping hole in our infrastructure and more of a data driven security model that allows for smart decisions based on knowledge.

This was cross-posted from Norse's Dark Matters blog. 

Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.