Quetion

 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Each student will write an APA paper with no less than 6 peer reviewed references and no less than 3 pages of findings on one aspect of the weekly readings.

For this week you can choose any topic that is in our material to write on

Subject Name: 

Emerging Threats & Countermeas

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

1

Copyright © 2012, Elsevier I

n

c.

All Rights Reserved

Chapter

2

Deceptio

n

Cyber Attacks
Protecting National Infrastructure, 1st ed.

2

Copyright © 2012, Elsevier Inc.

All rights Reserved

C
h
a
p
te

r 2

D
e
c
e
p
tio

n

Introduction

• Deception is deliberately misleading an adversary by
creating a system component that looks real but is in
reality a trap
– Sometimes called a honey pot

• Deception helps accomplish the following security
objectives
– Attention

– Energy

– Uncertainty

– Analysis

3

Copyright © 2012, Elsevier Inc.

All rights Reserved

C
h
a
p
te
r 2

D
e
c
e
p
tio
n

• If adversaries are aware that perceived vulnerabilities
may, in fact, be a trap, deception may defuse actual
vulnerabilities that security mangers know nothing
about.

Introduction

4

Fig. 2.1 – Use of deception in
computing

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

5

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n
Introduction

• Four distinct attack stages:
– Scanning

– Discovery

– Exploitation

– Exposing

6

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.2 – Stages of deception for
national infrastructure protection

7

• Adversary is scanning for exploitation points
– May include both online and offline scanning

• Deceptive design goal: Design an interface with the
following components
– Authorized services

– Real vulnerabilities

– Bogus vulnerabilities

• Data can be collected in real-time when adversary
attacks honey pot

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Scanning Stage

8

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.3 – National asset service
interface with deception

9

• Deliberately inserting an open service port on an
Internet-facing server is the most straightforward
deceptive computing practice

• Adversaries face three views

– Valid open ports

– Inadvertently open ports

– Deliberately open ports connected to honey pots

• Must take care the real assets aren’t put at risk by
bogus ports

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Deliberately Open Ports

10

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.4 – Use of deceptive bogus
ports to bogus assets

11

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.5 – Embedding a honey pot
server into a normal server complex

12

• The discovery stage is when an adversary finds and
accepts security bait embedded in the trap

• Make adversary believe real assets are bogus
– Sponsored research

– Published case studies

– Open solicitations

• Make adversary believe bogus assets are real
– Technique of duplication is often used for honey pot

design

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Discovery Stage

13

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.6 – Duplication in honey pot
design

14

• Creation and special placement of deceptive
documents can be used to trick an adversary
(Especially useful for detecting a malicious insider)
– Only works when content is convincing and

– Protections appear real

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Deceptive Documents

15

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.7 – Planting a bogus document
in protected enclaves

16

• This stage is when an adversary exploits a discovered
vulnerability
– Early activity called low radar actions

– When detected called indications and warnings

• Key requirement: Any exploitation of a bogus asset
must not cause disclosure, integrity, theft, or
availability problems with any real asset

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Exploitation Stage

17

C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.8 – Pre- and post-attack stages
at the exploitation stage

Copyright © 2012, Elsevier Inc.
All rights Reserved

18

• Related issue: Intrusion detection and incident
response teams might be fooled into believing trap
functionality is real. False alarms can be avoided by
– Process coordination

– Trap isolation

– Back-end insiders

– Process allowance

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n
Exploitation Stage

19

• Understand adversary behavior by comparing it in
different environments.

• The procurement lifecycle is one of the most
underestimated components in national
infrastructure protection (from an attack
perspective)

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Procurement Tricks

20

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.9 – Using deception against
malicious suppliers

21

• The deception lifecycle ends with the adversary
exposing behavior to the deception operator

• Therefore, deception must allow a window for
observing that behavior
– Sufficient detail

– Hidden probes

– Real-time observation

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Exposing Stage

22

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.10 – Adversary exposing stage
during deception

23

Interfaces Between
Humans and Computers

• Gathering of forensic evidence relies on
understanding how systems, protocols, and services
interact
– Human-to-human

– Human-to-computer

– Computer-to-human

– Computer-to-computer

• Real-time forensic analysis not possible for every
scenario

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

24

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

Fig. 2.11 – Deceptively exploiting the
human-to-human interface

25

• Programs for national deception would be better
designed based on the following assumptions:
– Selective infrastructure use

– Sharing of results and insights

– Reuse of tools and methods

• An objection to deception that remains is that it is
not effective against botnet attacks
– Though a tarpit might degrade the effectiveness of a

botnet

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 2

D
e
c
e
p
tio
n

National Deception Program

Are you stuck with your online class?
Get help from our team of writers!