Reverse Deception Used by Advanced Persistent Threats

by Mary W
Nov. 11, 2017 2 comments 3 minute read Detection & Response apt deception
Download PDF

Introduction to reverse deception

The art of deception has been in use since ancient times to achieve objectives on the battlefield, on the negotiating table, and in business. Deception has also been used as a source of assurance in helping businesses to protect themselves from cyber security threats and increase their ability to respond to unexpected.

Reverse deception refers to any strategy used by information security experts or organizations in deceiving an adversary by gaining a competitive advantage over the adversary and controlling the adversary’s response by all means possible. It is conducted through assessment of Advanced Persistent Threats(APTs). This paper attempts to demystify reverse deception, its surrounding issues and how to combat it.

Advanced Persistent Threats

Advanced Persistent Threats(APTs) refer to any problematic rival that is involved in information warfare with the aim of long-term strategic goals which persistently utilizes technical compromises through the use of tactics like waterhole and spear-phishing attacks to access targeted information.

APTs are categorized by their risk level, prioritized actions and zero-in on targets performed through the use of an expert, field-tested private- and government -sector methods.This is performed to block intruders that aren’t visible, spread without detection and are persistent in enterprise networks without detection. The weakest link in network security that is susceptible to attacks are the privileged users. Other Save from blocking intruders into a network, this method aims at exposing, pursuing and prosecuting the responsible parties that are behind the APTs. Through Reverse Deception techniques, it is possible to set up digital traps, effectively misdirect hackers, set up honeypots, mitigate encrypted crimeware and easily detect the malicious software groups. One is therefore able to establish the goals and scope of the reverse deception campaign, scrutinize the APTs, generate reports, find out the individuals responsible for the act and closely work with legal authorities for law enforcement. Passive cyber defenses cannot address APTs but still offer some benefits against low-level attacks when basic cyber hygiene practices such as patching vulnerabilities. Financially motivated attackers have lately been increasingly persistent and are replacing strains of malware to avoid detection.


Deception remains to be an integral part of both offensive and defensive cyber operations. Through deception, users are tricked into opening infected files or access compromised websites. Some organizations and individuals do not consider deception as a tool for offensive operations at all. Some use it to strengthen their systems and networks through cyber deception campaigns where they allow adversaries to steal their documents that may contain misleading or false information. This assist in deterring future cyber by altering an attackers cost-benefit calculation. This is through increasing the duration of the time that is used to analyze and asses stolen information as well as lowering the value of the stolen data. It is, however, a risky approach especially when the attacker realizes that he is deceived by being fed with falsified information. The attacker can decide to leak or expose the information put forward and tarnish the name of the individual or organization who is deceiving them.

Reverse Deception through Anti-analysis code

This deception technique transforms the way analysis is conducted through transforming the source code and making the modified code difficult to understand. The traits of this code are resilience and potency. Resilient in that it is hard to undo and potency being the complexity in the modified code that is measured through complexity metrics. The code also has increased the size and a slower execution time.

Fig:1 Malware communicating over VMware to show software version

Reverse Deception through Steganography

This is a trick that is used by malicious hackers whereby messages are hidden inside digital images to conceal the paths used by malware attacks on target computers. Through this method, information is inserted into the code of a trivial visual image or code with an aim that it will be stolen then later on delivered to the command and control server. Through this, digital signatures and codes that are likely to be detected by current analytics systems are hidden. A Kaspersky lab report has indicated that there has been no method to detect when stolen data gets into the hands of criminal hands. The only way for embedded messages to be detected during steganography is only when there is an appropriate stenographic key.

Fig 2: Digital steganography


This is done through the embedding of data into the most irrelevant bits of the image files. Irrespective of the message length, data is completely replaced by the cover image.


This method embeds every message bit into more than one bit of the cover image for purposes of minimizing the discoverable effects of embedding. It is so accomplished by modifying the image through separating it in different blocks then applying discrete cosine transform and later on altering coefficients by transforming the back. It results in each message bit affecting the entire block in the cover image, making it more difficult to realize the transformations.

In close relation to this are watermarking and fingerprinting. In watermarking information that is hidden in objects is a signature that indicates ownership for purposes of copyright protection. Fingerprinting uses contrasting, unexampled marks which are embedded in distinct copies of the carrier object that are later on supplied to different customers. What this does is that it enables the intellectual property owners to know when a client breaks a licensing agreement through selling or sharing their property with third parties. The difference between the two methods and steganography is that the information is concealed in water making and fingerprinting and may be public knowledge while in steganography imperceptibility of the information is totally concealed.

Development of a robust cyber-security Framework that every employee is required to follow with set consequences for noncompliance

Fig 4: JSTEG illustration

Combating Reverse Deception

  • Trusted Internet connection initiatives
  • Development of a robust cyber-security Framework that every employee is required to follow with set consequences for noncompliance
  • Regular review of company’s vulnerability management program that can report events to understand where the vulnerability lie and actions that can be taken to mitigate the risk.
  • Employ threat model and detection especially with the evolving cyber threat environment.
  • Diligence in not overexposing a company to vendors before the company’s data infrastructure has been secured.

Published with the express permission of the author.

Mitchell Rowton moderator 5 months, 2 weeks ago

Why is that the Mona Lisa painting is always the steganography example?

Irina Alexandra Negrii 5 months, 1 week ago

hahahah...good observation's always her