Sludge for Good: Slowing and Imposing Costs on Cyber Attackers

Abstract

Choice architecture describes the design by which choices are presented to people. Nudges are an aspect intended to make “good” outcomes easy, such as using password meters to encourage strong passwords. Sludge, on the contrary, is friction that raises the transaction cost and is often seen as negative by users. Turning this concept around, we propose applying sludge for positive cybersecurity outcomes by using it offensively against attackers to consume their time and other resources. Most cyber defenses have been designed to be optimally strong and effective and prohibit or eliminate attackers as quickly as possible. Our complementary approach is to deploy defenses that seek to maximize the consumption of attackers’ time and other resources while causing as little damage as possible to the victim. This approach is consistent with zero trust and similar mindsets which assume breach. The Sludge Strategy introduces cost-imposing cyber defense by strategically deploying friction for attackers before, during, and after an attack using deception and authentic design features. We present the characteristics of effective sludge and show a continuum from light to heavy sludge. We describe the quantitative and qualitative costs to attackers and offer practical considerations for deploying sludge in practice. Finally, we examine real-world examples of U.S. government operations to frustrate and impose costs on cyber adversaries. We encourage research and further exploration of how sludge can slow attackers