3 research outputs found
Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach
Significant valuable information can be determined by observing attackers in action. These observations provide significant insight into the attacker’s TTPs and motivations. It is challenging to continue observations when attackers breach operational networks. This paper describes a deception network methodology that redirects traffic from the compromised Operational Network (O-Net) to an identically configured Deception Network (D-Net) minimizing any further compromise of operational data and assets, while also allowing the tactics, techniques, and procedures of the attacker to be studied. To keep the adversary oblivious to the transfer from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking (SDN) technology that builds on two other strategies. This paper discusses the foundational strategies and introduces a new strategy that improves behavior for our described scenarios. We then provide some preliminary test results and suggest topics for further research
Towards Identifying Human Actions, Intent, and Severity of APT Attacks Applying Deception Techniques -- An Experiment
Attacks by Advanced Persistent Threats (APTs) have been shown to be difficult
to detect using traditional signature- and anomaly-based intrusion detection
approaches. Deception techniques such as decoy objects, often called honey
items, may be deployed for intrusion detection and attack analysis, providing
an alternative to detect APT behaviours. This work explores the use of honey
items to classify intrusion interactions, differentiating automated attacks
from those which need some human reasoning and interaction towards APT
detection. Multiple decoy items are deployed on honeypots in a virtual honey
network, some as breadcrumbs to detect indications of a structured manual
attack. Monitoring functionality was created around Elastic Stack with a Kibana
dashboard created to display interactions with various honey items. APT type
manual intrusions are simulated by an experienced pentesting practitioner
carrying out simulated attacks. Interactions with honey items are evaluated in
order to determine their suitability for discriminating between automated tools
and direct human intervention. The results show that it is possible to
differentiate automatic attacks from manual structured attacks; from the nature
of the interactions with the honey items. The use of honey items found in the
honeypot, such as in later parts of a structured attack, have been shown to be
successful in classification of manual attacks, as well as towards providing an
indication of severity of the attack