*

Copyright © 2012, Elsevier Inc. All Rights Reserved

Chapter 2

Deception

Cyber Attacks

Protecting National Infrastructure, 1st ed.

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Introduction

• Deception is deliberately misleading an adversary by creating a system component that looks real but is in reality a trap
• Sometimes called a honey pot
• Deception helps accomplish the following security objectives
• Attention
• Energy
• Uncertainty
• Analysis

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

• If adversaries are aware that perceived vulnerabilities may, in fact, be a trap, deception may defuse actual vulnerabilities that security mangers know nothing about.

Introduction

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Fig. 2.1 – Use of deception in computing

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Introduction

• Four distinct attack stages:
• Scanning
• Discovery
• Exploitation
• Exposing

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.2 – Stages of deception for national infrastructure protection

*

• Adversary is scanning for exploitation points
• May include both online and offline scanning
• Deceptive design goal: Design an interface with the following components
• Authorized services
• Real vulnerabilities
• Bogus vulnerabilities
• Data can be collected in real-time when adversary attacks honey pot

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Scanning Stage

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.3 – National asset service interface with deception

*

• Deliberately inserting an open service port on an Internet-facing server is the most straightforward deceptive computing practice
• Adversaries face three views
• Valid open ports
• Inadvertently open ports
• Deliberately open ports connected to honey pots
• Must take care the real assets aren’t put at risk by bogus ports

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Deliberately Open Ports

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.4 – Use of deceptive bogus ports to bogus assets

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.5 – Embedding a honey pot server into a normal server complex

*

• The discovery stage is when an adversary finds and accepts security bait embedded in the trap
• Make adversary believe real assets are bogus
• Sponsored research
• Published case studies
• Open solicitations
• Make adversary believe bogus assets are real
• Technique of duplication is often used for honey pot design

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Discovery Stage

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.6 – Duplication in honey pot design

*

• Creation and special placement of deceptive documents can be used to trick an adversary (Especially useful for detecting a malicious insider)
• Only works when content is convincing and
• Protections appear real

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Deceptive Documents

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.7 – Planting a bogus document in protected enclaves

*

• This stage is when an adversary exploits a discovered vulnerability
• Early activity called low radar actions
• When detected called indications and warnings
• Key requirement: Any exploitation of a bogus asset must not cause disclosure, integrity, theft, or availability problems with any real asset

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Exploitation Stage

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 – Deception

Fig. 2.8 – Pre- and post-attack stages at the exploitation stage

Copyright © 2012, Elsevier Inc. All rights Reserved

*

• Related issue: Intrusion detection and incident response teams might be fooled into believing trap functionality is real. False alarms can be avoided by
• Process coordination
• Trap isolation
• Back-end insiders
• Process allowance

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Exploitation Stage

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

• Understand adversary behavior by comparing it in different environments.
• The procurement lifecycle is one of the most underestimated components in national infrastructure protection (from an attack perspective)

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Procurement Tricks

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.9 – Using deception against malicious suppliers

*

• The deception lifecycle ends with the adversary exposing behavior to the deception operator
• Therefore, deception must allow a window for observing that behavior
• Sufficient detail
• Hidden probes
• Real-time observation

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Exposing Stage

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.10 – Adversary exposing stage during deception

*

Interfaces Between
Humans and Computers

• Gathering of forensic evidence relies on understanding how systems, protocols, and services interact
• Human-to-human
• Human-to-computer
• Computer-to-human
• Computer-to-computer
• Real-time forensic analysis not possible for every scenario

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

Fig. 2.11 – Deceptively exploiting the human-to-human interface

*

• Programs for national deception would be better designed based on the following assumptions:
• Selective infrastructure use
• Sharing of results and insights
• Reuse of tools and methods
• An objection to deception that remains is that it is not effective against botnet attacks
• Though a tarpit might degrade the effectiveness of a botnet

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 2 – Deception

National Deception Program

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer