Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach

Significant valuable information can be determined by observing attackers in action. These observations provide significant insight into the attacker’s TTPs and motivations. It is challenging to continue observations when attackers breach operational networks. This paper describes a deception network methodology that redirects traffic from the compromised Operational Network (O-Net) to an identically configured Deception Network (D-Net) minimizing any further compromise of operational data and assets, while also allowing the tactics, techniques, and procedures of the attacker to be studied. To keep the adversary oblivious to the transfer from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking (SDN) technology that builds on two other strategies. This paper discusses the foundational strategies and introduces a new strategy that improves behavior for our described scenarios. We then provide some preliminary test results and suggest topics for further research

Towards Identifying Human Actions, Intent, and Severity of APT Attacks Applying Deception Techniques -- An Experiment

Attacks by Advanced Persistent Threats (APTs) have been shown to be difficult to detect using traditional signature- and anomaly-based intrusion detection approaches. Deception techniques such as decoy objects, often called honey items, may be deployed for intrusion detection and attack analysis, providing an alternative to detect APT behaviours. This work explores the use of honey items to classify intrusion interactions, differentiating automated attacks from those which need some human reasoning and interaction towards APT detection. Multiple decoy items are deployed on honeypots in a virtual honey network, some as breadcrumbs to detect indications of a structured manual attack. Monitoring functionality was created around Elastic Stack with a Kibana dashboard created to display interactions with various honey items. APT type manual intrusions are simulated by an experienced pentesting practitioner carrying out simulated attacks. Interactions with honey items are evaluated in order to determine their suitability for discriminating between automated tools and direct human intervention. The results show that it is possible to differentiate automatic attacks from manual structured attacks; from the nature of the interactions with the honey items. The use of honey items found in the honeypot, such as in later parts of a structured attack, have been shown to be successful in classification of manual attacks, as well as towards providing an indication of severity of the attack