Each student will write an APA paper with no less than 6 peer reviewed references and no less than 3 pages of findings on one aspect of the weekly readings.
For this week you can choose any topic that is in our material to write on
Subject Name:
Emerging Threats & Countermeas
1
Copyright © 2012, Elsevier I
n
c.
All Rights Reserved
Chapter
2
Deceptio
n
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Introduction
• Deception is deliberately misleading an adversary by
creating a system component that looks real but is in
reality a trap
– Sometimes called a honey pot
• Deception helps accomplish the following security
objectives
– Attention
– Energy
– Uncertainty
– Analysis
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
• If adversaries are aware that perceived vulnerabilities
may, in fact, be a trap, deception may defuse actual
vulnerabilities that security mangers know nothing
about.
Introduction
4
Fig. 2.1 – Use of deception in
computing
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Introduction
• Four distinct attack stages:
– Scanning
– Discovery
– Exploitation
– Exposing
6
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.2 – Stages of deception for
national infrastructure protection
7
• Adversary is scanning for exploitation points
– May include both online and offline scanning
• Deceptive design goal: Design an interface with the
following components
– Authorized services
– Real vulnerabilities
– Bogus vulnerabilities
• Data can be collected in real-time when adversary
attacks honey pot
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Scanning Stage
8
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.3 – National asset service
interface with deception
9
• Deliberately inserting an open service port on an
Internet-facing server is the most straightforward
deceptive computing practice
• Adversaries face three views
– Valid open ports
– Inadvertently open ports
– Deliberately open ports connected to honey pots
• Must take care the real assets aren’t put at risk by
bogus ports
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Deliberately Open Ports
10
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.4 – Use of deceptive bogus
ports to bogus assets
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.5 – Embedding a honey pot
server into a normal server complex
12
• The discovery stage is when an adversary finds and
accepts security bait embedded in the trap
• Make adversary believe real assets are bogus
– Sponsored research
– Published case studies
– Open solicitations
• Make adversary believe bogus assets are real
– Technique of duplication is often used for honey pot
design
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Discovery Stage
13
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.6 – Duplication in honey pot
design
14
• Creation and special placement of deceptive
documents can be used to trick an adversary
(Especially useful for detecting a malicious insider)
– Only works when content is convincing and
– Protections appear real
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Deceptive Documents
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.7 – Planting a bogus document
in protected enclaves
16
• This stage is when an adversary exploits a discovered
vulnerability
– Early activity called low radar actions
– When detected called indications and warnings
• Key requirement: Any exploitation of a bogus asset
must not cause disclosure, integrity, theft, or
availability problems with any real asset
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Exploitation Stage
17
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.8 – Pre- and post-attack stages
at the exploitation stage
Copyright © 2012, Elsevier Inc.
All rights Reserved
18
• Related issue: Intrusion detection and incident
response teams might be fooled into believing trap
functionality is real. False alarms can be avoided by
– Process coordination
– Trap isolation
– Back-end insiders
– Process allowance
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Exploitation Stage
19
• Understand adversary behavior by comparing it in
different environments.
• The procurement lifecycle is one of the most
underestimated components in national
infrastructure protection (from an attack
perspective)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Procurement Tricks
20
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.9 – Using deception against
malicious suppliers
21
• The deception lifecycle ends with the adversary
exposing behavior to the deception operator
• Therefore, deception must allow a window for
observing that behavior
– Sufficient detail
– Hidden probes
– Real-time observation
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Exposing Stage
22
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.10 – Adversary exposing stage
during deception
23
Interfaces Between
Humans and Computers
• Gathering of forensic evidence relies on
understanding how systems, protocols, and services
interact
– Human-to-human
– Human-to-computer
– Computer-to-human
– Computer-to-computer
• Real-time forensic analysis not possible for every
scenario
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
24
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
Fig. 2.11 – Deceptively exploiting the
human-to-human interface
25
• Programs for national deception would be better
designed based on the following assumptions:
– Selective infrastructure use
– Sharing of results and insights
– Reuse of tools and methods
• An objection to deception that remains is that it is
not effective against botnet attacks
– Though a tarpit might degrade the effectiveness of a
botnet
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2
–
D
e
c
e
p
tio
n
National Deception Program