Technical Field
This disclosure relates generally to cyber security.
Background of the Related Art
Today, cyber attackers are breaching corporate networks using a myriad of techniques such as social engineering or water holing. More disturbing is that these attacks can go unnoticed for hundreds of days. These attacks not only enable the exfiltration of important confidential company data, but they also erode client trust. As a consequence, companies can no longer solely rely on perimeter-based defenses—such as intrusion detection systems (IDS) and firewalls—to protect their IT environments. More generally, traditional network traffic monitoring and misuse detection is unable to keep up with evolving attackers, sustains high error rates, and is akin to searching for a needle in an extremely large haystack. As a result, security researchers and companies alike must look inward to gain better visibility at every stage of the cyberattack lifecycle.
Adversaries typically perform initial reconnaissance missions before commencing actual attacks. Unfortunately, today's computer systems (e.g., networks, servers, services, APIs) are too honest and forthcoming in sharing tremendous amounts of information with attackers. Hence, with minimal effort, attackers can glean extremely valuable information on network topologies, currently running applications and their version and patch level, as well as potential vulnerabilities, all without the defender's knowledge. This information asymmetry favors attackers, allowing them to find a single weakness, while defenders are faced with the difficult task of keeping up.
As cyberattacks become more sophisticated there is an increasing need for better ways to detect and stop attackers. Cyber deception has garnered attention by both attackers and defenders as a weapon in the cyber battlefield. The notion of cyber counter-deception refers to the use of planned deceptions to defend information systems against attacker deceptions. Although such second-order deceptions remain largely underutilized in cyber-defensive scenarios, however, they are frequently used by attackers to search for evidence of honeypots, avoid malware analysis, and conceal their presence and identity on exploited systems. In the virtualization domain, malware attacks often employ stealthy techniques to detect virtual machine environments within which they behave innocuously and opaquely while being analyzed by antivirus tools.
Honeypots are closely monitored information systems resources that are intend to be probed, attacked, or compromised, conceived purely to attract, detect, and gather attack information. Traditional honeypots are usually classified per the interaction level provided to potential attackers. Low-interaction honeypots present a façade of emulated services without full server functionality, with the intent of detecting unauthorized activity via easily deployed pseudo-services. High-interaction honeypots provide a relatively complete system with which attackers can interact, and are designed to capture detailed information on attacks. Despite their popularity, both low- and high-interaction honeypots are often detectable by informed adversaries (e.g., due to the limited services they purvey, or because they exhibit traffic patterns and data substantially different than genuine services).
General principles for effective tactical deception in warfare prescribe that deceptions should (1) reinforce enemy expectations, (2) have realistic timing and duration, (3) be integrated with operations, (4) be coordinated with concealment of true intentions, (5) be tailored to contextual requirements, and (6) be imaginative and creative. These rules highlight limitations of current deception-based defenses. For example, conventional honeypots usually violate the third rule of integration as they are often deployed as ad hoc, stand-alone lures isolated from production servers. This makes them easily detectable by most advanced adversaries. They also assume that an adversary must scan the network to identify assets to attack.
There remains an increasing need for counter-deception mechanisms that are capable of tricking and manipulating advanced attacker deceptions.