Conceptualización y metodología

4.1 Minimizing Effect on Mission Operations

In our deception solution, we utilize a number of different approaches to minimize deception effect on mission operations. The scope of this discussion is limited to network-based deception.

We classify three behavior types of network activity.

• Normal user event: This type of network activity can be attributed to a normal user operation. An example is detection of a three-step TCP connection imitation sequence. Despite the fact that a potential attacker can also initiate a connection that looks legitimate, in the absence of any additional context, we treat this event as a normal user activity.

• Dual use network event: This type of activity can be attributed to either a potential attacker or to a power user, such as a system administrator. This type of event is considered uncharacteristic for a normal user, and not required for normal user operations. An example of this type of event is detected traceroute (ICMP) packets.

• Plausible attacking activity: This type of event is uncharacteristic for either normal user or for a power user. Examples include detected Xmas tree scans, reverse mapping, and web crawling attempts.

The first challenge is classification semantics to describe configuration rules for applying deception techniques as they pertain to specifics of the network environment. For example, if plausible attacking activity is detected, the deception can be triggered unconditionally. However, if a dual use network event is detected, additional conditions must be present for deception triggering. Example of such required additional information is a source IP address of the host that initiated a network connection requesting DNS zone transfer. The deception will be triggered if the request came from a host that is not expected to perform network administrative activities.

Second, different deception techniques have different impacts on different types of users. For example, presenting fictitious services on the network has no impact on normal user operations, although it might create some problems from the network management point of view. At the same time, employing entrapment techniques such as fake passwords or honey objects, such as unused data files or unmapped web pages, should not have any impact on normal or power user activities. However, using impediment techniques such as protocol equivocation may seriously impact normal user operations, and should only be triggered when an attack is detected and an attacker is identified and can be directly targeted.

Third, a deception can be triggered if the detected activity commonly attributed to normal user operations, is trying to perform the action beyond the scope of the assigned authority. For example, if a certain host is trying to initiate a TCP

connection using a port that is blocked by an internal firewall, or if what appears to be a legitimate internal user is trying to access a forbidden network share.

To address these challenges, a possible alternative approach (which might, how-ever, require alteration of existing practices) is to utilize a multi-factor authentication for all power user activity associated with network requests/queries. The impact of deception activities on normal operations is best addressed by careful selection of appropriate deception techniques aligned with security policies. It is also important to note that the provenance of each analyzed packet must be verified by either using capabilities of the deception system itself or by relying on other deployed third-party defense controls such as firewalls.

4.2 Deception Controls as Subjects of Potential Attacks

As with any other network or host-based components, deception controls may become the subject of an attacker’s attention, and therefore must be hardened to prevent a compromise or denial of service (DoS). We see this as a dual objective of reducing network attack surface of the software module that contains deception controls, and of reducing software attack surface for each deception control. Both network and software attack surfaces increase when adding more deception controls to each deception unit. This is especially true for network-based deception since a network-network-based deception unit is supposed to process all egress/ingress and internal network traffic for a given network segment. Security analysis that determines network and software attack surfaces must be performed for each deception control added to a deception plot. To overcome this challenge, we have implemented each deception unit as a standalone appliance that presents itself externally as a network bridge, thus significantly reducing the attack surface, in comparison with router-switches, while also providing a certain level of stealth in all deception activities.

4.3 Attacker’s Work Factor Assessment

As stated in [4] it is important to cause “the adversary to misallocate personnel, fiscal, and material resources in ways that are advantageous to the friendly force.”

The challenge is in how a credible work factor assessment can be performed.

We believe that feedback channels must be identified and enabled, and used to monitor attacker activities and to measure an adversary’s perceptions and actions.

Feedback channels are critical in assessing the success of any deception operation or component. Hesketh [19] defines three general categories of signals that can be used to know whether a deception had an effect on an attacker:

• The target acts in the wrong time and/or place.

• The target acts in a way that is wasteful of its resources.

• The target delays acting or stops acting at all.

Some examples of reliable pieces of evidence to confirm that an attacker did invest significant resources include:

• Detected use of zero-day exploits and other stages 1 and 2 “burnable” high-value malware for installation, persistence downloading and launching backdoor programs (scripts or executables) or privilege escalation exploits

• Utilization of distributed denial of service (DDoS) capabilities, such as botnets attacking fictitious targets

Other work factor indicators, although less reliable, include the time an attacker spent conducting active reconnaissance, or an attacker switching back to reconnais-sance phase.

4.4 Deception Domain Specific Language

Domain Specific Languages (DSLs) are high-level languages for design capture in particular problem areas. Our goal for Deception Domain Specific Language is creating a framework that would serve as an unambiguous specification that:

• guides and documents design process and deception scenario implementation,

• provides semantics that capture and map mission context,

• provides capabilities for a formal description of a given deception story that would allow for reasoning at a high level about a deception scenario, and for defining properties for deception elements applicable to the low-level implemen-tation,

• enables deception scenarios to be used as a base to generate test vectors, and

• translates to the deception plot implementation.

Deception Domain Specific Language (DDSL) is a scripting specification meta-language used to create a deception scenario from a given deception story and a mission context. DDSL supports ontological constructs for deception taxonomy and deception scenarios mapped to deception and MTD techniques and methods of deception solutions. It formally describes the desired responses of the system based on possible attacker scenarios, existing network infrastructure and the specific CONOPS, mission, and OPSEC requirements. DDSL contains a Parser that trans-lates formal definitions and properties of each deception element of the deception scenario into intermediate meta-data used by the Deception Plot Generator to select appropriate deception controls and to generate configuration and deployment scripts that comprise Deception Plot.

5 Conclusions

In this chapter we have described various design considerations for building cyber deception systems. The objective of this chapter is to provide a comprehensive introduction of various cyber deception topics, including deception taxonomy, goals, and general requirements, and to discuss important design aspects, such as the deception design process and various deign factors (e.g., believability, engagement, static vs. dynamic deception, command and control, cyber kill chain and mission context, etc.). Due to the page limit, we have only briefly described our current implementation of a holistic cyber deception system, which adopts the design principles and process depicted in this chapter. Initial experimentation has demonstrated promising future for incorporating cyber deception techniques in military defense scenarios. To see the full potential and its operational effectiveness and relevance, much work needs to be accomplished, which includes development of techniques, interoperability validation, integration with C2 framework, minimum impact on missions, rigorous test and evaluation, etc.

References

1. FM101-5_mdmp. “The Military Decision-Making Process”

2. “THE JOINT OPERATION PLANNING PROCESS FOR AIR,” Last Updated: 09 November 2012

3. “Command and Control of Joint Air Operations”, Joint Publication 3–30, 10 February 2014 4. Joint Publication 1–13.4 “Military Deception”, 26 January 2012

5. “Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception”, by Neil C.

Rowe and Han C. Goh

6.http://faculty.nps.edu/ncrowe/mildec.htm 7. NIST Pub 800.53, Rev.4 SC26-SC30

8. CERIAS Tech Report 2015–11 “Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses”, by Mohammed H. Almeshekah, Center for Education and Research Information Assurance and Security, Perdue University

9. Joint Publication 3-12(R) “Cyberspace Operations”, 5 Feb 2013

10. “Cyber Resiliency & Agility – Call to Action”, by Suzanne Hassell, MITRE Resiliency Workshop May 31, 2012

11. “Planning Cost-Effective Deceptive Resource Denial in Defense to Cyber-Attacks”, by Neil Rowe. In Proceedings of the 2nd International Conference on Information Warfare & Security, page 177. Academic Conferences Limited, 2007

12. “Cheating and Deception”, by J. Bowyer Bell and Barton Whaley. Transaction Publishers New Brunswick, 1991.

13. “The Essence of Winning and Losing”, by Boyd, John, R., 28 June 1995.

14. “Defending Cyberspace with Fake Honeypots”, by Neil Rowe, E. John Custy, and Binh T.

Duong. Journal of Computers, 2(2):25–36, 2007.

15. “Victory and Deceit: Deception and Trickery at War”, by James F. Dunnigan and Albert A.

Nofi. Writers Club Press, 2001.

16. “Confirmation Bias: A Ubiquitous Phenomenon in Many Guises”, by Raymond S. Nickerson.

Review of General Psychology, 2(2):175–220, June 1998

17. “Extensional Versus Intuitive Reasoning: The Conjunction Fallacy in Probability Judgment”, by Amos Tversky and Daniel Kahneman. Psychological review, 90(4):293–315, 1983.

18. “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Cam-paigns and Intrusion Kill Chains”, by Eric M. Hutchins, Michael J. Cloppert, and Rohan M.

Amin, Leading Issues in Information Warfare & Security Research, 1:80, 2011.

19. “Fortitude: The D-Day Deception Campaign”, Roger Hesketh. Overlook Hardcover, Wood-stock, NY, 2000.

for Role Detection and Concealment