1 Copyright © 2012, Elsevier Inc. All Rights Reserved Chapter 2 Deception Cyber Attacks Protecting National Infrastructure, 1st ed. 2 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Introduction • Deception is deliberately misleading an adversary by creating a system component that looks real but is in reality a trap – Sometimes called a honey pot • Deception helps accomplish the following security objectives – Attention – Energy – Uncertainty – Analysis 3 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n • If adversaries are aware that perceived vulnerabilities may, in fact, be a trap, deception may defuse actual vulnerabilities that security mangers know nothing about. Introduction 4 Fig. 2.1 – Use of deception in computing Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n 5 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Introduction • Four distinct attack stages: – Scanning – Discovery – Exploitation – Exposing 6 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Fig. 2.2 – Stages of deception for national infrastructure protection 7 • Adversary is scanning for exploitation points – May include both online and offline scanning • Deceptive design goal: Design an interface with the following components – Authorized services – Real vulnerabilities – Bogus vulnerabilities • Data can be collected in real-time when adversary attacks honey pot Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Scanning Stage 8 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Fig. 2.3 – National asset service interface with deception 9 • Deliberately inserting an open service port on an Internet-facing server is the most straightforward deceptive computing practice • Adversaries face three views – Valid open ports – Inadvertently open ports – Deliberately open ports connected to honey pots • Must take care the real assets aren’t put at risk by bogus ports Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Deliberately Open Ports 10 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Fig. 2.4 – Use of deceptive bogus ports to bogus assets 11 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 2 – D e c e p tio n Fig. 2.5 – Embedding a honey pot server into a normal server complex 12 • The discovery stage is when an adversary finds and accepts security bait embedded in the trap • Make adversary believe real assets are bogus – Sponsored research – Published case studies – Open solicitations • Make adversary believe bogus assets are real – Technique of duplication is often use.