Experts argue 'sludge' could muck up cyber attacks

Threat actors can be discouraged from attacking networks when small changes are made to make their operations more difficult.

That's according to a recent paper from infosec experts at the National Security Agency (NSA), Johns Hopkins University and Fastly. Known as "sludge," the paper describes several small security steps and network conditions that create technical red tape and can potentially slow down the process of data collection and exfiltration. The concept of sludge was popularized in 2021 book titled Sludge: What Stops Us from Getting Things Done and What to Do about It by legal scholar Cass Sunstein.

The paper's authors included Josiah Dykstra and Jamie Met of the NSA; Kelly Shortridge of cloud service provide Fastly; and Douglas Hough of Johns Hopkins Bloomberg School of Public Health. The idea, they wrote, is not to outright prevent an attack but rather offer enough hurdles and frustrations along the way to waste the time of anyone trying to compromise the network.

"To date, most cyber defenses have been designed to be optimally strong and effective and prohibit or eliminate attackers as quickly as possible," the paper said.

"We propose a complimentary approach which is to also deploy defenses that seek to maximize the consumption of the attackers' time and other resources while causing as little damage as possible to the victim."

In practice, sludge would take form as anything from login banners to honeypot machines and fake databases -- anything that would waste the time of a would-be attacker and lift a network from the ranks of the low-hanging fruit.

Among the possible techniques are multiple authentication requirements, mandatory acknowledgements, and the use of cloud instances to create temporary infrastructure that can't be seeded for persistent access.

The researchers acknowledged that such measures could also make life inconvenient for those seeking legitimate access. But they argued that administrators could fashion workarounds or remediations that helped actual users while still frustrating threat actors.

"Cybersecurity professionals often seek to minimize their recovery time, failure rates, and lead times," the researchers wrote.

"If adversaries behave likewise, sludge may be used to strategically maximize negative results."

In an email to TechTarget Editorial, Dykstra said the sludge strategy is not about the quantity of technical hurdles and red tape but figuring out the right ones to frustrate cyber attackers.

"The effectiveness of sludge, like many other approaches to cybersecurity, probably isn't directly correlated to the number of measures used. Instead, impact is influenced by contextual details of the attack, attributes of the attacker(s), capabilities of the defenders, and features of the sludge," Dykstra said. "As we explain in the paper, a sludge strategy would be used in combination of other complimentary system defenses. For instance, system owners certainly need strong user authentication, not just honey credentials."

Psychological influence also plays a major role. The paper noted three recent instances in which sludge was created for attackers by providing political or legal pressure. In the case of ransomware attackers, the researchers noted that increases in law enforcement and government sanctions have provided at least enough of a deterrent to make threat actors think twice and reduce some activity.

In more substantial examples, the team pointed to the drop in cyberattacks around Ukraine and the lack of attacks around the U.S. elections as instances where public awareness has created "sludge" conditions that made otherwise possible cyberattacks unfeasible for threat actors.

"Sludge was not inevitable for any of these events," the researchers wrote.

"The cybersecurity community in the public and private sectors could have exclusively pursued zero tolerance, complete elimination of the problems using technical and non-technical solutions."

This, the researchers concluded, makes the case for creating sludge conditions that, while not particularly effective by themselves, can work well alongside traditional network security measures to thwart attacks.