C3E Idea Detail - Decoys
Submitted by Luanne Burns
Title: Decoys
Problem:
Computer networks connected to the internet are being constantly probed by humans and automated agents seeking to understand and map the network terrain, identify vulnerabilities and, when possible, use those vulnerabilities to penetrate computer defenses. Once within a defensive perimeter, these humans and agents continue their reconnaissance mapping networks, identifying resources and information stores, and gathering or reading sensitive information.
Proposal:
The government should invest in research on systems that reduce the likelihood that an adversary conducting reconnaissance of and within one’s systems will find sensitive information by instead guiding the adversary towards decoy information sources that will consume and waste their search efforts. This research would build on the existing body of knowledge related to honey pots and nets by developing capabilities to develop large-scale, high-quality decoy systems and dynamically steer adversaries towards this decoy information (or vice versa).
Such a research program could have the following elements:
Decoy 1 – Scalable Deception Technologies – Develop systems that allow the high volume creation of believable deceptive information such as documents or libraries of documents or networks of virtual machines and phantom users. Such systems could be used to develop content to populate honey pots or nets or, eventually, automatically manage the process of honey pot or net creation and maintenance.
Decoy 2 - Targeted Deceptive Information Delivery - Knowing that one’s adversaries have different goals and points of view from your own, how can you better understand and model their goals and motivations so that you can dynamically design and deploy targeted deceptions that are attractive and believable to them and which will draw their attention away from what is important to you.
Decoy 3 – Information Leakage Measurement with Decoy Systems – Develop systems that can help to detect and measure information leakage by tagging and watching for the movement of specific information. Develop a capability to undetectably taint information within systems (e.g., watermarks or honey tokens) and a parallel monitoring system to detect whether this information is being accessed or moved.
Strengths:
· Honey pots and nets have proven their utility in ensnaring and exposing hostile actors and agents. Creation of high quality networks, however, has to date been a manual rather than an automated process which limits the scale of their application.
· Honeypots collect information only when an attacker interacts with them; any activity is most likely unauthorized or malicious activity. Honeypots collect relatively small data sets all of which are of high information value, the source being only from the adversary.
· Decoys are low-overhead and effective deterrents.
· A well-conceived (and possibly more labor- or resource-intensive) honeypot may placate an attacker. For example, if the adversary’s intent was to install a Trojan horse, he may be content to have done so on the honeypot.
· Honeypots work in encrypted environments as well since the honeypot will detect and capture whatever the adversary throws at it. Encryption deters attackers’ efforts by eating all their time and educates the honeypot’s owners to further strengthen the system.
· Honeytokens can help to track and analyze adversary behavior through detected use and exposure of information obtained from honeypots/honeynets in other areas of your system or in monitored systems elsewhere.
Weaknesses:
· Despite advances in natural language processing, it is possible that the creation of realistic decoy documents which are undetectable to humans will remain unachievable for the near term.
· Honeypots provide a limited view in that they are only able to capture and track activity thatdirectly interacts with them. They may provide insight into adversary’s behavior and/or deter adversary but there may be parallel attacks on real systems.
· Honeypots require extra resources (e.g. equipment, staff) to setup and monitor in addition to other real networks and network defenses.
· Improperly configured or deployed deception hosts might expose a backdoor to a production host.
References:
National Cyber Leap Year Summit 2009 Participants’ Ideas Report, NITRD Program Office, September 16, 2009, pp 29-31
Bhatia, J.S., Sehgal, R., Bharat, B., Kaur, H., CDAC-Mohali (2008). Multi Layer Cyber Attack Detection through Honeynet. New Technologies, Mobility and Security, 2008 NTMS '08.
Krasser, Sven, Grizzard, Julian B., Owen, Henry, L. (2005). The Use of Honeynets to Increase Computer Network Security and User Awareness. Journal of Security Education, Vol.1, No.2/3, pp.23-27.
Spitzner, L. (2003). The Honeynet Project: Trapping the Hackers. IEEE Security & Privacy.
Spitzner, L. (2003). Honeypots: Catching the Insider Threat. Computer Security Applications Conference.
Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A., Voelker, G., & Savage, S. (2005). Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM SIGOPS Operating Systems Review, Volume 39, Issue 5.
http://www.honeynet.org/
David Skillicorn People have thought a bit about designing traps, detours, and honeypots for adversaries who are coming in to systems. It might also be useful to think explicitly about designing such mechanisms for adversaries going out of systems, i.e. during the exfiltration phase.
Reply
Salvatore Stolfo There are a couple of other publications that are more on target than those listed here. for example: Baiting Inside Attackers using Decoy Documents http://mice.cs.columbia.edu/getTechreport.php?techreportID=596&format=pdf& recently appeared in SecureComm 09 and 2. Designing Host and Network Sensors to Mitigate the Insider Threat, (with B. Bowen, M. Ben Salem, S. Hershkop, A. D. Keromytis), IEEE Security and Privacy Special Issue on Insider Threat, 2010. (to appear fall 09). This topic area is not about predantic honey technologies, but signficant issues on automating the process of generating believable decoy information; a very hard research problem.
Reply