Sludge for Good: Slowing and Imposing Costs on Cyber Attackers

by   Josiah Dykstra, et al.

Choice architecture describes the design by which choices are presented to people. Nudges are an aspect intended to make "good" outcomes easy, such as using password meters to encourage strong passwords. Sludge, on the contrary, is friction that raises the transaction cost and is often seen as a negative to users. Turning this concept around, we propose applying sludge for positive cybersecurity outcomes by using it offensively to consume attackers' time and other resources. To date, most cyber defenses have been designed to be optimally strong and effective and prohibit or eliminate attackers as quickly as possible. Our complimentary approach is to also deploy defenses that seek to maximize the consumption of the attackers' time and other resources while causing as little damage as possible to the victim. This is consistent with zero trust and similar mindsets which assume breach. The Sludge Strategy introduces cost-imposing cyber defense by strategically deploying friction for attackers before, during, and after an attack using deception and authentic design features. We present the characteristics of effective sludge, and show a continuum from light to heavy sludge. We describe the quantitative and qualitative costs to attackers and offer practical considerations for deploying sludge in practice. Finally, we examine real-world examples of U.S. government operations to frustrate and impose cost on cyber adversaries.


page 1

page 2

page 3

page 4


Defense in Depth: The Basics of Blockade and Delay

Given that individual defenses are rarely sufficient, defense-in-depth i...

Cyber Deception against Zero-day Attacks: A Game Theoretic Approach

Reconnaissance activities precedent other attack steps in the cyber kill...

Metrics Towards Measuring Cyber Agility

In cyberspace, evolutionary strategies are commonly used by both attacke...

Myths and Misconceptions about Attackers and Attacks

This paper is based on a three year project during which we studied atta...

Autonomous Cyber Defense Introduces Risk: Can We Manage the Risk?

From denial-of-service attacks to spreading of ransomware or other malwa...

From Cyber-Security Deception To Manipulation and Gratification Through Gamification

With the ever growing networking capabilities and services offered to us...

Observation-Assisted Heuristic Synthesis of Covert Attackers Against Unknown Supervisors

In this work, we address the problem of synthesis of covert attackers in...

Please sign up or login with your details

Forgot password? Click here to reset