on
Cyber-Deception Notes
The following are some notes I made that were maybe going to be part of a paper idea that never happened. I decided I’m not interested in pursuing cyber-deception work at this point in time. This was originally the first draft of a literature review with some minor commentary.
Cyber-deception as a term refers to a set of techniques for deceiving cyber attackers in order to delay, neutralize, or monitor the actions of the attacker. The techniques do not focus on firewall or perimeter security but instead often focus on luring an attacker that is already inside the perimeter to a decoy area of the system.
Typically this takes the form of a honeypot, honeyport, or some other deceptive trap. In this way, contemporary cyber-deception research expands upon older honeypots that existed as simple lone unprotected machines within the system without much complexity, sophistication, or orchestration.
Deception research can be seen as an extended development of older mostly honeypot technology instead acting as a more proactive augmentation that attempts to actively trick and shepherd the attacker into specific areas. These techniques can contrast with other techniques like intrusion detection which mainly serves to send alerts when something is happening, and possibly having automation to block actions.
IDS systems often don’t allow for the attacker to pull off their entire attack, and they quickly allow the attacker to know that the system has detected them. Moving target defense systems are another proposed method for deceiving attackers via constantly altering different aspects of the system. This forms a kind of security through obscurity technique that does not generally attempt to gather information about the attacker.
The core concept of a lot of these deception techniques, in these papers and in general is that we want to learn more information about the attacker which a company could utilize in some way to mitigate future attacks from the same attacker. The point is implicitly and explicitly to gather information about what the attacker is doing and their payloads in the safest manner possible.
This makes a lot of sense from the perspective of a large private security company that sells a product to lots of smaller firms or a larger company with an in-house team. What many of these techniques fail to do is properly justify how or what type of information will be gathered about the attacker and how it will be used.
A smaller firm for example that isn’t contracting out to a private security company has no use and probably no resources to effectively use any of the information gathered by the deception system. A small-to-medium sized company is probably not going to perform some sort of malware analysis on the payloads that are being dropped off.
Yet in many of these system models, there is an assumption that a company is ok with orienting significant resources of their internal network infrastructure toward detection mechanisms for some payload that they might not have any use for.
The techniques are designed agnostically towards the information to be gathered. In these papers for example all three make almost no substantial mention of what kind of actionable information is gained from these large scale orchestrations, and if the value is worth the cost.
Another issue is that many of these papers use system models that are based around the idea of a single technique being used in isolation on a reverse proxy, SDN, or some other setup usually involving proxies and virtualization. A problem with this I see is that these are often only evaluated with each specific technique in isolation. The authors of these papers and their related works often make claims that they add only X amount of millisecond overhead while their method is running.
The problem is none of these methods consist of a complete solution. They seem more intended as mechanisms that would play a smaller part in a larger more realistic setting. This would be used in conjunction with IDS systems, malware scanners, traffic monitoring, or other various forms of intrusion alerts.
It is not clear if in a complete solution the overhead of these components would be too great to make them usable. There is almost no consideration for what practical way these methods could be collapsed into larger security systems.
In Achleitner et al. [1] the authors develop ‘Reconnaissance Deception System’ which simulates virtual network topologies in an attempt to divert, deceive, and neutralize APT attacks whilst collecting information on the attackers. The system is designed to identify reconnaissance scanning attacks and redirect the attackers seamlessly to an internal SDN virtual topology generated based on what the system controller assumes the attacker knows at any given point. The authors found that their system causes significant delay in the amount of time it takes for an attacker’s scan to identify a vulnerable system. The deception system was shown to only cause a 0.2 millisecond delay per packet flow on average.
Voris et al. [2] take a comparatively simpler approach with their honey files system. They develop a placement application for sets of decoy documents that are scattered across various physical and virtual machines of an organization’s internal network. The author’s concept is to use decoy files as a company policy that employees are aware of and told not to open (as opening them or interacting with them triggers an alarm ticket in the IDS). When an attacker is using stolen employee credentials they then might click on the files which are designed to look enticing for an attacker. The authors did two user evaluations with test subjects to see how likely the average users were to accidentally click the files, and if the people playing hackers would fall for the files at a higher rate than the accidental click rates.
Rawat et al. [3] focus on wireless infrastructure providers and attacks on mobile virtual network operators providing RF slice leasing. Their model is essentially a dynamic deception system that is able to sense adversarial actions toward legitimate MNVO nodes (such as a DsoS) and spin up new deception MNVO nodes on the fly. The attacker’s malicious traffic is then directed toward the deception MNVO nodes rather than the legitimate users. The model was created in an SDN simulation rather than with real hardware. They then showed via a probabilistic simulation model on the SDN that their technique was able to deploy deception nodes fast enough to dramatically reduce the amount of time the attackers were able to target legitimate systems.
Sun et al. [4] attempt to elevate the attacker’s belief in honeypot decoys by replaying a significant amount of information that is replicated from real servers for the attacker’s benefit. The things they are replaying consist of “characteristic access pattern, running states, and system artifacts” as well as other attributes. They create a system to replay various network activities over the decoy server to create lots of logs and artifacts creating the illusion that the system is real and actually in use. Their system called Mirage works as a real-time reverse proxy that is able to grab network traffic and system artifacts. The Mirage system first obfuscates the original data and then generates a new decoy server based on the data that the attacker can then interact with. The authors found that their system was able to generate decoy access patterns and fingerprints that were not distinguishable from the real server while only adding a minimal 9.2% CPU overhead increase.
Araujo et al. [5] developed a new system for creating security patches that do not appear to be patched from an attacker’s perspective. The authors model “Honey-Patches” by taking CVE patches from the Apache server software and modify them such that they look like the unpatched version of the software. They include hooks that detect an attempted use of the patched exploit and then spin up a reversed proxy connection to drop attackers into a secure honeypot. These are essentially just functions that open a new connection and direct an LXC container to be spun up from a pool. The goal here is to make attackers believe their attack or exploit was successful and waste their time. The author’s setup like the first paper also generates a set of obfuscated data that is meant to make the decoy look and act as though it was the resource that the attackers were originally targeting. The authors evaluated their work by creating 5 separate honey patches and found that the average request time for legitimate users was not significantly altered by the use of the honey-patch setup. The average request time ranging between 2.5 and 5.9 milliseconds.
Horak et al. [6] create a cyber deception game strategy to manipulate the attacker’s belief at various stages of an attack using a series of strategies and techniques to alter deception. The point of this model is to adequately account for the fact that the attacker might have some level of belief that they are being deceived at various stages in the game. This contrasts with other methods that assume the adversary is tricked by the deception techniques and only measure the attackers assumed information based on the premise of the deceptions being completely successful. They design their game as a series of options that the attacker and defender have at various stages of their game based on the amount of deception and knowledge each party has at each stage. In the game, defense and attack options have associated costs and weights for different categories of actions which are shown with a transitional state graph. The authors evaluate their strategy and find that optimal winning strategies for the defender are possible even under pessimistic assumptions about the defender’s ability to deceive the attacker.
Du et al. [7] construct what they call a pseudo-honeypot game theoretic strategy that deploys different types of honeypots from a central SDN in the face of an attacker. The game strategy implements two different novel contributions, the first is that their game is explicitly dealing with an attack strategy where the attacker attempts to find and take control of the central SDN. This is very unique in the face of other paper models that don’t really discuss what happens if the honeypost orchestration infrastructure is subverted or discovered. Here the authors assume that the attacker strategy is to identify static honeypots where they exist and create an optimal strategy for attacking and subverting the SDN directly. The second novel contribution is that the authors consider multiple different types of honeypots in their strategy, some that are full honeypots and some that can still function as nodes that serve real users with partial functionality at the same time as they act as honeypots for malicious users. These so called pseudo-honeypot nodes are the key to creating a more lean solution with less overhead compared to other solution models. The authors show that under certain conditions and with certain payoff weights for various action steps within their model there are defender strategies that achieve an optimal Bayesian-Nash equilibrium. The authors demonstrate that the optimal strategy in their model can resist DDoS attacks with a lower CPU energy consumption rate than other existing models due to some honeypots being only partially decoys.
Wang et al. [8] design a honeypot resource deployment mechanism that is able to dynamically deploy honeypots within the network infrastructure. This is an improvement over other models where the resources are deployed to static locations throughout the model’s network topology that do not change except under manual alterations done by administrators. Here the authors use a deep learning algorithm to train a model that is able to dynamically deploy to the weakest or most vulnerable areas of the network topology. Which areas these are is then decided by a network threat penetration graph that the authors design for the target network. The algorithm looks at the generated penetration graph and allocates a finite set of deception resources based on changes in the penetration graph. The authors then do a feature comparison of their model versus several competing models and show that their model is the only one that satisfies the properties they decided were necessary for such systems.
In Anjum et al. [9] the authors created HoneyRoles, which are essentially detection mechanisms for attacks on routers and switches. By creating HoneyRoles which establish honey connections to SDN based routers and switches the mechanisms are able to detect if these routers and switches have been tampered with or not. The authors argue that modern switching and routing devices are a prime target for infiltration by attackers looking to engage in passive reconnaissance. While they sit on the routers they are able to effectively map out the entire network structure via the routing tables. Based on the actions of the router the HoneyRoles are able to determine a ranked weight of suspiciousness that routers in the network topology have. The authors implemented this system as a simulated OpenFlow network and found that the majority of requests were able to complete with 14% or less extra overhead above the baseline requests.
References
[1] Achleitner, Stefan, et al. “Cyber deception: Virtual networks to defend insider reconnaissance.” Proceedings of the 8th ACM CCS international workshop on managing insider security threats. 2016.
[2] Voris, Jonathan, et al. “Fox in the trap: Thwarting masqueraders via automated decoy document deployment.” Proceedings of the Eighth European Workshop on System Security. 2015.
[3] Rawat, Danda B., Naveen Sapavath, and Min Song. “Performance evaluation of deception system for deceiving cyber adversaries in adaptive virtualized wireless networks.” Proceedings of the 4th ACM/IEEE Symposium on Edge Computing. 2019.
[4] Sun J, Sun K, Li Q. Towards a Believable Decoy System: Replaying Network Activities from Real System. In 2020 IEEE Conference on Communications and Network Security (CNS) 2020 Jun 29 (pp. 1-9). IEEE. https://ieeexplore.ieee.org/document/9162163
[5] Araujo, Frederico, et al. “From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation.” Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 2014. https://dl.acm.org/doi/10.1145/2660267.2660329
[6] Horák, Karel, Quanyan Zhu, and Branislav Bošanský. “Manipulating adversary’s belief: A dynamic game approach to deception by design for proactive network security.” International Conference on Decision and Game Theory for Security. Springer, Cham, 2017.
[7] Du, Miao, and Kun Wang. “An SDN-enabled pseudo-honeypot strategy for distributed denial of service attacks in industrial Internet of Things.” IEEE Transactions on Industrial Informatics 16.1 (2019): 648-657.
[8] Wang, Shuo, et al. “An Intelligent Deployment Policy for Deception Resources Based on Reinforcement Learning.” IEEE Access 8 (2020): 35792-35804.
[9] Anjum et al. “Role-based Deception in Enterprise Networks”, Arxiv Preprint, 2020