Practical Reflection

Buddhaland

Chapter02_Lecture_Deception.pdf

Home >Computer Science homework help >Practical Reflection

Chapter 2

Deception

Cyber Attacks Protecting National Infrastructure, 1st ed.

C h a p te

r 2 –

D e c e p tio

Introduction

• Deception is deliberately misleading an adversary by creating a system component that looks real but is in reality a trap – Sometimes called a honey pot

• Deception helps accomplish the following security objectives – Attention

– Energy

– Uncertainty

– Analysis

C h a p te

r 2 –

D e c e p tio

• If adversaries are aware that perceived vulnerabilities may, in fact, be a trap, deception may defuse actual vulnerabilities that security mangers know nothing about.

Introduction

Fig. 2.1 – Use of deception in computing

C h a p te

r 2 –

D e c e p tio

C h a p te

r 2 –

D e c e p tio

Introduction

• Four distinct attack stages: – Scanning

– Discovery

– Exploitation

– Exposing

C h a p te

r 2 –

D e c e p tio

Fig. 2.2 – Stages of deception for national infrastructure protection

• Adversary is scanning for exploitation points – May include both online and offline scanning

• Deceptive design goal: Design an interface with the following components – Authorized services

– Real vulnerabilities

– Bogus vulnerabilities

• Data can be collected in real-time when adversary attacks honey pot

C h a p te

r 2 –

D e c e p tio

Scanning Stage

C h a p te

r 2 –

D e c e p tio

Fig. 2.3 – National asset service interface with deception

• Deliberately inserting an open service port on an Internet-facing server is the most straightforward deceptive computing practice

• Adversaries face three views

– Valid open ports

– Inadvertently open ports

– Deliberately open ports connected to honey pots

• Must take care the real assets aren’t put at risk by bogus ports

C h a p te

r 2 –

D e c e p tio

Deliberately Open Ports

C h a p te

r 2 –

D e c e p tio

Fig. 2.4 – Use of deceptive bogus ports to bogus assets

C h a p te

r 2 –

D e c e p tio

Fig. 2.5 – Embedding a honey pot server into a normal server complex

• The discovery stage is when an adversary finds and accepts security bait embedded in the trap

• Make adversary believe real assets are bogus – Sponsored research

– Published case studies

– Open solicitations

• Make adversary believe bogus assets are real – Technique of duplication is often used for honey pot

design

C h a p te

r 2 –

D e c e p tio

Discovery Stage

C h a p te

r 2 –

D e c e p tio

Fig. 2.6 – Duplication in honey pot design

• Creation and special placement of deceptive documents can be used to trick an adversary (Especially useful for detecting a malicious insider) – Only works when content is convincing and

– Protections appear real

C h a p te

r 2 –

D e c e p tio

Deceptive Documents

C h a p te

r 2 –

D e c e p tio

Fig. 2.7 – Planting a bogus document in protected enclaves

• This stage is when an adversary exploits a discovered vulnerability – Early activity called low radar actions

– When detected called indications and warnings

• Key requirement: Any exploitation of a bogus asset must not cause disclosure, integrity, theft, or availability problems with any real asset

C h a p te

r 2 –

D e c e p tio

Exploitation Stage

C h a p te

r 2 –

D e c e p tio

Fig. 2.8 – Pre- and post-attack stages at the exploitation stage

• Related issue: Intrusion detection and incident response teams might be fooled into believing trap functionality is real. False alarms can be avoided by – Process coordination

– Trap isolation

– Back-end insiders

– Process allowance

C h a p te

r 2 –

D e c e p tio

Exploitation Stage

• Understand adversary behavior by comparing it in different environments.

• The procurement lifecycle is one of the most underestimated components in national infrastructure protection (from an attack perspective)

C h a p te

r 2 –

D e c e p tio

Procurement Tricks

C h a p te

r 2 –

D e c e p tio

Fig. 2.9 – Using deception against malicious suppliers

• The deception lifecycle ends with the adversary exposing behavior to the deception operator

• Therefore, deception must allow a window for observing that behavior – Sufficient detail

– Hidden probes

– Real-time observation

C h a p te

r 2 –

D e c e p tio

Exposing Stage

C h a p te

r 2 –

D e c e p tio

Fig. 2.10 – Adversary exposing stage during deception

Interfaces Between Humans and Computers

• Gathering of forensic evidence relies on understanding how systems, protocols, and services interact – Human-to-human

– Human-to-computer

– Computer-to-human

– Computer-to-computer

• Real-time forensic analysis not possible for every scenario

C h a p te

r 2 –

D e c e p tio

C h a p te

r 2 –

D e c e p tio

Fig. 2.11 – Deceptively exploiting the human-to-human interface

• Programs for national deception would be better designed based on the following assumptions: – Selective infrastructure use

– Sharing of results and insights

– Reuse of tools and methods

• An objection to deception that remains is that it is not effective against botnet attacks – Though a tarpit might degrade the effectiveness of a

botnet

C h a p te

r 2 –

D e c e p tio

National Deception Program