Malicious actors around the world regularly target networked computer systems and websites for various reasons, including for exfiltration of sensitive information, disruption of services, and observation of online activity. Attacks that require exploitation of more than one target computer, for example obtaining proprietary knowledge of a product line being developed by a manufacturer, may require a series of discrete actions in order to complete the desired act. For example, these actions may include gaining access to a private network via a vulnerable host, leveraging that access to identify internal accounts that can be compromised, then successfully compromising those accounts to gain access to the information being targeted.
Effectively detecting a malicious actor or communication requires the ability to identify those actions which make up the steps the actor takes to accomplish its task. On large, active networks, such as the Internet or internal corporate or government networks, identifying this behavior from the much larger amount of non-malicious activity is a challenge and numerous approaches have been developed to attempt to perform the detection process.
One approach is commonly referred to as a signature-based approach. This type of approach is generally used in intrusion detection systems (IDS) and anti-virus programs. A signature-based approach requires prior knowledge of specific types of observed behavior associated with a malicious actor or malicious activity, such as exploits or exploit responses, which are used to identify the malicious actor or activity. The activity monitored on the network or on an individual computer are scanned against these known patterns, and alerts are generated when there is a match.
There are significant challenges that face a signature-based approach, including the inability to detect new, previously unknown types of exploits, the inability to identify non-suspicious behavior from a malicious actor, such as a successful login by an attacker using valid, compromised credentials, and the lag time between new attacks being utilized in the field and new signatures to detect those attacks being developed and deployed. Thus, signature-based approaches may be capable of detecting widespread, well-known attack types, but are ineffective at detecting unknown, novel, and subtle malicious actions.
Another common approach is referred to as an algorithmic approach. In an algorithmic approach, detection is typically implemented by continuously searching a large space of observed behavior (communications on a network or actions occurring on computers), attempting to delineate between suspicious and normal behavior. Once a suspicious activity is detected, alerts can be generated and the activity may be extracted from the other data that is being analyzed. This approach is commonly used in behavioral analysis systems.
The algorithmic approach suffers from some key challenges, including the need to collect and analyze large quantities of data, and to understand each particular observable action within the universe of possible actions with a degree of accuracy (and contextual understanding) necessary to make correct judgments regarding the maliciousness of the communication or actions. As a result, algorithmic approaches often produce interesting results in laboratory environments, but have significant difficulty providing actionable insights at scale, against real-world environments and attackers.
Another approach used in the industry addresses the problem by starting with the assumption that it is too complex and resource-consuming to attempt to understand and extract malicious behavior/actors from a vast amount of non-malicious behavior/actors. Instead, this approach focuses on the points where the malicious actors tend to attack: system vulnerabilities.
This vulnerability-centric approach is central to the development of honeynet technology, which involves the deployment of vulnerable hosts on a network that exist specifically to be probed, attacked, and exploited by malicious actors. In a honeynet system, the simulated hosts, called honeypots, have no legitimate use, so it is possible to identify the existence of malicious actors by observing their interactions with the honeypots.
A honeynet approach does have some drawbacks. Firstly, it is a resource and time consuming process to construct believable honeypot systems. There is also a generally low probability that a honeypot system will be attacked by a sophisticated actor targeting high-value systems since the attacker generally has a better understanding what targets are and are not of high value on a network. Also, it takes considerable time to perform forensics on compromised systems to understand the actions taken by the malicious actor.
As a result of these challenges, honeynets are often used to detect low-sophistication autonomous code that indiscriminately attacks networked hosts. Some work has been done to extend the honeynet concept beyond standalone hosts and to integrate with production servers. See, for example, https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT3:_Honey_Trap_Data_Us ed. This approach utilizes the ability to combine IDS-like capabilities on the server itself in order to insert simulated information (referred to as honeytraps) onto the system. This approach increases the probability that an actor will fall for the simulated information since it is integrated into a production system.
The honeytrap approach has some key challenges, including a need to integrate a complex, error-prone IDS-like application into a target application, it is limited to web applications, is focused primarily on detection, and lacks additional capabilities to evaluate malicious actors and use manipulation to interfere with their goals.
At best, the current commonly used approaches including algorithms, signatures, and honeynets may be able to identify the existence of a malicious actor through their actions on an instrumented network. However, when dealing with sophisticated actors on large networks, detection may be insufficient to prevent further malicious activity.
Malicious actors can obscure their location by working through proxy systems, reducing the usefulness of identifying a single host. They may also work in concert with other actors to distribute their actions across multiple hosts and through the utilization of varied approaches, some of which may be detectable as overtly malicious activity (such as launching computer program exploits), or they may utilize previously compromised information (such as valid account credentials) in seemingly authentic ways. As such, a system is needed that is sufficiently robust to detect, manipulate, and evaluate these sophisticated malicious actors in a cost-effective and efficient manner.