ebook img

Cyber Deception: Building the Scientific Foundation PDF

314 Pages·2016·9.157 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cyber Deception: Building the Scientific Foundation

Sushil Jajodia · V.S. Subrahmanian Vipin Swarup · Cliff  Wang Editors Cyber Deception Building the Scientifi c Foundation Cyber Deception Sushil Jajodia • V.S. Subrahmanian Vipin Swarup (cid:129) Cliff Wang Editors Cyber Deception Building the Scientific Foundation 123 Editors SushilJajodia V.S.Subrahmanian CenterforSecureInformationSystems DepartmentofComputerScience GeorgeMasonUniversity UniversityofMaryland Fairfax,VA,USA CollegePark,MD,USA VipinSwarup CliffWang TheMITRECorporation Computing&InformationScienceDivision McLean,VA,USA InformationSciencesDirectorate TrianglePark,NC,USA ISBN978-3-319-32697-9 ISBN978-3-319-32699-3 (eBook) DOI10.1007/978-3-319-32699-3 LibraryofCongressControlNumber:2016941329 ©SpringerInternationalPublishingSwitzerland2016 Chapter8wascreatedwithinthecapacityofanUSgovernmentalemployment.UScopy-rightprotection doesnotapply. Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany errorsoromissionsthatmayhavebeenmade. Printedonacid-freepaper ThisSpringerimprintispublishedbySpringerNature TheregisteredcompanyisSpringerInternationalPublishingAGSwitzerland Preface This volume is designed to take a step toward establishing scientific foundations for cyber deception. Here we present a collection of the latest basic research results toward establishing such a foundationfrom severaltop researchersaround the world. This volume includes papers that rigorously analyze many important aspectsofcyberdeceptionincludingtheincorporationofeffectivecyberdenialand deceptionforcyberdefense,cyberdeceptiontoolsandtechniques,identificationand detectionofattackercyberdeception,quantificationofdeceptivecyberoperations, deceptionstrategiesinwirelessnetworks,positioningofhoneypots,humanfactors, anonymity,andtheattributionproblem.Further,wehavemadeanefforttonotonly sample different aspects of cyber deception, but also highlight a wide variety of scientifictechniquesthatcanbeusedtostudytheseproblems. It is our sincere hope that this volume inspires researchers to build upon the knowledgewepresenttofurtherestablishscientificfoundationsforcyberdeception andultimatelybringaboutamoresecureandreliableInternet. Fairfax,VA,USA SushilJajodia CollegePark,MD,USA V.S.Subrahmanian McLean,VA,USA VipinSwarup TrianglePark,NC,USA CliffWang v Acknowledgments Weareextremelygratefultothenumerouscontributorstothisbook.Inparticular,it isapleasuretoacknowledgetheauthorsfortheircontributions.Specialthanksgoto SusanLagerstrom-Fife,seniorpublishingeditoratSpringerforhersupportofthis project.WealsowishtothanktheArmyResearchOfficefortheirfinancialsupport underthegrantnumbersW911NF-14-1-0116,W911NF-15-1-0576,andW911NF- 13-1-0421. vii Contents IntegratingCyber-D&DintoAdversaryModelingforActive CyberDefense .................................................................... 1 FrankJ.Stech,KristinE.Heckman,andBlakeE.Strom CyberSecurityDeception....................................................... 23 MohammedH.AlmeshekahandEugeneH.Spafford QuantifyingCovertnessinDeceptiveCyberOperations .................... 51 GeorgeCybenko,GabrielStocco,andPatrickSweeney DesignConsiderationsforBuildingCyberDeceptionSystems............. 69 Greg Briskin, Dan Fayette, Nick Evancich, Vahid Rajabian-Schwart,AnthonyMacera,andJasonLi A ProactiveandDeceptivePerspectivefor RoleDetection andConcealmentinWirelessNetworks....................................... 97 ZhuoLu,CliffWang,andMingkuiWei EffectiveCyberDeception ...................................................... 115 A.J.Underbrink Cyber-DeceptionandAttributioninCapture-the-FlagExercises.......... 149 EricNunes,NimishKulkarni,PauloShakarian,AndrewRuef, andJayLittle DeceivingAttackersbyCreatingaVirtualAttackSurface ................. 167 MassimilianoAlbanese,ErmannoBattista,andSushilJajodia EmbeddedHoneypotting........................................................ 201 FredericoAraujoandKevinW.Hamlen AgileVirtualInfrastructureforCyber DeceptionAgainst StealthyDDoSAttacks .......................................................... 233 EhabAl-ShaerandSyedFidaGillani ix x Contents ExploringMaliciousHackerForums.......................................... 259 JanaShakarian,AndrewT.Gunn,andPauloShakarian AnonymityinanElectronicSociety:ASurvey............................... 283 MauroConti,FabioDeGaspari,andLuigiVincenzoMancini ErratumtoIntegratingCyber-D&DintoAdversary ModelingforActiveCyberDefense............................................ E1 Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense FrankJ.Stech,KristinE.Heckman,andBlakeE.Strom Abstract Thischapteroutlinesaconceptforintegratingcyberdenialanddeception (cyber-D&D)tools,tactics, techniques,andprocedures(TTTPs)intoanadversary modeling system to support active cyber defenses (ACD) for critical enterprise networks. We describe a vision for cyber-D&D and outline a general concept of operationfortheuseofD&DTTTPsinACD.Wedefinethekeyelementsnecessary for integratingcyber-D&Dinto an adversarymodelingsystem. One such recently developed system, the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™) Adversary Model is being enhanced by adding cyber-D&D TTTPs that defenders might use to detect and mitigate attacker tactics, techniques, and procedures(TTPs).WedescribegeneralD&Dtypesandtactics,andrelatethesetoa relativelynewconcept,thecyber-deceptionchain.Wedescribehowdefendersmight buildandtailoracyber-deceptionchaintomitigateanattacker’sactionswithinthe cyberattacklifecycle.Whilewestressthatthischapterdescribesaconceptandnot anoperationalsystem,wearecurrentlyengineeringcomponentsofthisconceptfor ACDandenablingdefenderstoapplysuchasystem. Traditional approaches to cyber defense increasingly have been found to be inadequatetodefendcriticalcyberenterprises.Massiveexploitationsofenterprises, Theoriginalversionofthischapterwasrevised.AnerratumtothischaptercanbefoundatDOI 10.1007/978-3-319-32699-3_13 Authors: Frank J. Stech, Kristin E. Heckman, and Blake E. Strom, the MITRE Corporation ([email protected], [email protected], and [email protected]). Approved for Public Release; DistributionUnlimited.CaseNumber15-2851.Theauthors’affiliationwithTheMITRECorpora- tionisprovidedforidentificationpurposesonly,andisnotintendedtoconveyorimplyMITRE’s concurrencewith,orsupportfor,thepositions,opinionsorviewpointsexpressedbytheauthors. SomematerialinthischapterappearedinKristinE.Heckman,FrankJ.Stech,BenS.Schmoker, RoshanK.Thomas(2015)“DenialandDeceptioninCyberDefense,”Computer,vol.48,no.4, pp.36–44,Apr.2015.http://doi.ieeecomputersociety.org/10.1109/MC.2015.104 F.J.Stech((cid:2))(cid:129)K.E.Heckman(cid:129)B.E.Strom MITRECorporation,Mclean,VA,USA e-mail:[email protected];[email protected];[email protected] ©SpringerInternationalPublishingSwitzerland2016 1 S.Jajodiaetal.(eds.),CyberDeception,DOI10.1007/978-3-319-32699-3_1 2 F.J.Stechetal. commercial(e.g.,Target1)andgovernment(e.g.,OMB2),demonstratethatthecyber defenses typically deployed over the last decade (e.g., boundary controllers and filterssuch asfirewallsand guards,malwarescanners,and intrusiondetectionand preventiontechnologies)canbeandhavebeenbypassedbysophisticatedattackers, especiallytheadvancedpersistentthreats(APTs3).Sophisticatedadversaries,using software exploits, social engineering or other means of gaining access, infiltrate these defended enterprises, establish a persistent presence, install malware and backdoors,andexfiltratevitaldatasuchascreditcardrecords,intellectualproperty and personnelsecurity information.We must assume, then, that an adversarywill breach border defenses and establish footholds within the defender’s network. We must also assume that a sophisticated adversary will learn from and attempt toevadetechnology-baseddefenses,soweneednewwaystoengagetheadversary on the defender’s turf, and to influence the adversary’s moves to the defender’s advantage.Onesuchmeansofinfluenceisdeception,andweargueakeycomponent inthenewparadigmofactivecyberdefense4iscyberdenialanddeception(cyber- D&D). 1JimWalter(2014)“AnalyzingtheTargetPoint-of-SaleMalware,”McAfeeLabs,Jan16,2014. https://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware/ and Fahmida Y.Rashid(2014) “How Cybercriminals Attacked Target: Analysis,” SecurityWeek, January 20, 2014.http://www.securityweek.com/how-cybercriminals-attacked-target-analysis 2Jim Sciutto (2015) OPM government data breach impacted 21.5 million,” CNN, July 10, 2015.http://www.cnn.com/2015/07/09/politics/office-of-personnel-management-data-breach-20- million/JasonDevaney(2015)“Report:FedsHitbyRecord-High70,000Cyberattacksin2014,” NewsMax,04Mar2015.http://www.newsmax.com/Newsfront/cyberattacks-Homeland-Security- Tom-Carper-OMB/2015/03/04/id/628279/ 3Advanced persistent threats (APTs) have been defined as “a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives. APT processes requireahighdegreeofcovertnessoveralongperiodoftime.The“advanced”processsignifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from aspecific target. The “threat” process indicates human involvement in or- chestratingtheattack.”https://en.wikipedia.org/wiki/Advanced_persistent_threatAusefulsimple introductionandoverviewisSymantec,“AdvancedPersistentThreats:ASymantecPerspective— PreparingtheRightDefensefortheNewThreatLandscape,”nodate.http://www.symantec.com/ content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf A detaileddescriptionofanAPTisMandiant(2013)APT1:ExposingOneofChina’sCyberEspi- onage Units,www.mandiant.com,18February 2013. http://intelreport.mandiant.com/Mandiant_ APT1_Report.pdf 4The U.S. Department of Defense (DOD) defined active cyber defense (ACD) in 2011: “As malicious cyber activity continues togrow, DoD has employed active cyber defense to prevent intrusions and defeat adversary activities on DoD networks and systems. Active cyber defense isDoD’ssynchronized,real-timecapabilitytodiscover,detect,analyze,andmitigatethreatsand vulnerabilities:::.usingsensors, software,andintelligencetodetectandstopmaliciousactivity beforeitcanaffect DoDnetworksandsystems.Asintrusionsmaynotalwaysbestoppedatthe networkboundary,DoDwillcontinuetooperateandimproveuponitsadvancedsensorstodetect, discover,map,andmitigatemaliciousactivityonDoDnetworks.”DepartmentofDefense(2011) StrategyforOperatinginCyberspace,July2011,p.7.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.