From [http://www.army.mil/cmh-pg/brochures/ardennes/aral.htm], and now in the US National Archives.
In 1944, US General George Patton was given two important tasks. He was given command of the Third Army, which he famously lead in an aggressive thrust against Germany. The second task is less well remembered. He was to lead a fictional First US Army Group, positioned to make an attack north of Normandy at Pas de Calais. This deceptive operation was called Operation Quicksilver, part of a larger deceptive operation called Operation Fortitude. The purpose of these operations was to cause German resources to be diverted from the actual invasion area of Normandy.
All manner of operations were simulated, including fake troop movements in England and Scotland, and placement of fake trucks, tanks and other materiel. Communiques, orders, wireless transmissions and press conferences were all staged to support the appearance of serious military preparations. Since the Germans knew and feared Patton as a commander, his leadership of the effort enhanced its acceptance by German authorities. Intercepted communications between Germany and Japan confirmed that Operation Quicksilver was successfully diverting German attention and resources. The effectiveness of this operation yielded tangible benefits to Allied troops as they secured a foothold in France in June of 1944.
What use would this approach have to information security in a corporate setting? While business operations have only a tenuous similarity to military campaigns, the benefits of careful use of deception can be significant. A honeypot is typically a system staged on a network to lure unauthorized activity. Multiple systems can also be used, and this is sometimes called a honeynet.
A honeypot or honeynet can be positioned to attract hackers, intruders and others. These intruders may think that they are gaining access to live production corporate systems and data. Yet the systems involved are fake, and are deceptively configured to appear as if they contain real data.
Among the benefits of such systems is the partial protection of real corporate systems through the diversion of negative activity. Staff can also learn the techniques and tactics of opponents by studying how the honeypot is attacked. This in turn can be used to protect real systems based on the attacks used against the fake systems. Care should be taken to ensure that honeypots are placed and configured in such a way as to pose no risk to real systems. The legal department should always be consulted to ensure that appropriate laws are followed, especially if the business considers taking legal action against an attacker.
Take a page from military tactics of old. A deceptive ruse might increase your knowledge of opposing techniques. The result can be improved security and a fun diversion for staff from the regular security task treadmill.
