The Department of Defense currently depends upon static cyber defense systems. Adversaries can plan their attacks carefully over time by relying on the static nature of our networks, and launch their attacks at the times and places of their choosing. The DoD needs new tools and technologies to reverse the current asymmetry that favors our cyber adversaries, by forcing them to spend more time and resources, cope with greater levels of complexity and uncertainty, and accept greater risks of exposure and detection due to the significantly increased requirements for reconnaissance and intelligence collection of our networks. Throughout history the military has employed deception as a counter-intelligence mechanism, but thus far it has been minimally employed for tactics and strategies in cyberspace to counter cyber exploitation and attack. The best known attempts at cyber deception in the commercial realm are honeypots and honeynets. These passive decoy technologies rely on effective intrusion detection, and if implemented inappropriately, can be easily detected and avoided by attackers. Modern day military planners need a capability that goes beyond the current state-of-theart in cyber deception to provide a system or systems that can be employed for defensive purposes by a commander when needed, to enable proactive deception to be inserted into cyber operations.
Significance
Cyber deception is a deliberate and controlled act to conceal our networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness, and to influence and misdirect adversary perceptions and decision processes. Defense through deception can potentially level the cyber battlefield by altering an enemy’s perception of reality through delays and disinformation which can reveal attack methods and provide the attributions needed to identify the adversary’s strategy. Delaying and dissuading also provides the essential time for forensics teams to analyze, identify, and mitigate attack vectors that could expose inherent vulnerabilities to operational and support systems.
Background
Military deception is defined as “actions executed to deliberately mislead adversary military, paramilitary, or violent extremist organization (VEO) decision makers, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.” [1]. Military forces have used techniques such as camouflage, feints, chaff, jammers, fake equipment, false messages or traffic, etc. for thousands of years to alter an enemy’s perception of reality.
Whether intended for exfiltrating data or destroying systems, an attacker generally follows a typical sequence of steps: reconnaissance, weaponization, delivery, exploitation, control, execute mission, and maintaining access [2]. Attacks generally target configurations, interfaces, and applications that are exposed at the host and network levels.
It is believed that deception techniques, as part of an overall moving target defense and in conjunction with other normal cyber defense methods, can alter the underlying attack process. They can create uncertainty to delay and disrupt the attacker’s ability to determine the status, location, or implementation details of the configurations, interfaces, and applications they are trying to target. This will make the attack attempt much more difficult, time consuming, risky, and cost prohibitive.
Much work has already been done in cyber deception technologies. Honeypots are computers designed to attract attackers by impersonating another machine that may be worthy of being attacked. Honeynets take that further by simulating a number of computers or a network, and products such as the Deception Toolkit [5] convey an impression of the defenses of a computer system that are different from what they really are by creating phony vulnerabilities. Honeytokens are false data implanted within systems to confuse an attacker or to serve as a security trigger when they are detected as being exfiltrated.
Low-Interaction honeypots utilize emulated or virtualized software that is usually inexpensive and easy to set up, but often are unable to provide the full functionality of a real computer system. The use of computer virtualization allows a single host computer to simultaneously run a number of resident virtual machines each with identifiable features as unique as actual systems, including different operating systems, file systems, network settings, and some hardware. More complex honeypots, known as High-Interaction honeypots, can provide the complete set of functionality found on a normal system, but typically require the use of more hardware and can be complicated to set up. The current state of the art in deception technology implements and assumes a static configuration. While this static configuration is helpful for administration and management, it is also “helpful” to the attacker [3]. The static nature of networks allows an attacker to employ various means of information collection that can be done slowly enough, and across a long enough time period, to hide these reconnaissance activities in the “noise” of normal day-to-day operations. The application of honeypots can help protect a network by providing false information to distract an attacker, and cause time and effort to be wasted during the course of an attack. However, an attacker can also utilize a compromised honeypot system to carry out other attacks on neighboring systems or to participate in a distributed attack.
Advanced techniques are needed with a focus on introducing varying deception dynamics in network protocols and services which can severely impede, confound, and degrade an attacker’s methods of exploitation and attack, thereby increasing the costs and limiting the benefits gained from the attack. Forcing changes in the attacker’s behavior or actions can also serve to highlight and expose his activities for enhanced detection, deriving intent, as well as improved forensics and remediation for actions already taken. The combination of these effects can form a strong basis for deterrence. [4]
The DoD operates within a highly standardized environment. Any technology that significantly disrupts or increases the cost to the standard of practice will unlikely be adopted. If the technology is adopted, the defense system must appear legitimate to the adversary trying to exploit it.