FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
Cyber Deception After Detection: Safe Observation Environment Using Software Defined Networking
1. C Y B E R D E C E P T I O N A F T E R D E T E C T I O N :
S A F E O B S E R V A T I O N E N V I R O N M E N T
U S I N G S O F T W A R E D E F I N E D N E T W O R K I N G
B S I D E S S E N D A I 2 0 1 9
M A R . 1 6 T H 2 0 1 9
TO R U S H I M A N A K A 1
2. WHO AM I
• 1989 – 1994
– SOFTWARE ENGINER
• DESIGN AND DEVELOPMENT OFWORKSTATION INSTALLATION PROGRAM
• 1994 – 1996
– GRADUATE STUDENT @ JAPAN ADVANCED INSTITUTE OF SCIENCE ANDTECHNOLOGY (JAIST)
• OPTICAL FLOW
• 1997 – 2000
– RESERCHER
• SIMULATION FOR ESTIMATE OF BRAIN PULSE
• 2001 – 2013
– SOFTWARE ENGINEER,FIRMWARE DEVELOPMENT LEADER
• DESIGN AND DEVELOPMENT OF LAYER2 AND LAYER3 SWITCH FIRMWAR
• PROJECT MANAGEMENT OF SOFTWARE DEVELOPMENT
• 2014 –
– CYBER SECURITY RESEARCHER
TORU SHIMANAKA
@ FUJITSU SYSTEM INTEGRATION LABORATORIES
2
3. CYBER
DECEPTIONT H E P L A N N E D A C T I O N S T A K E N T O M I S L E A D
H A C K E R S A N D T O T H E R E B Y C A U S E T H E M T O
T A K E ( O R N O T T A K E ) S P E C I F I C A C T I O N S
T H A T A I D C O M P U T E R - S E C U R I T Y D E F E N S E S
3
4. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
4
5. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Direct an adversary’s attention
from real assets toward bogus
ones.”
5
6. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
・・・
・・・
・・・
“Waste an adversary’s time and
energy on obtaining and analyzing
false information.”
6
7. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Cause the adversary to
doubt the veracity of a
discovered vulnerability
or stolen information.”
WHAT IS CYBER DECEPTION?
7
8. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Monitor and analyze
adversary behavior
during intrusion
attempts
to inform future defense
efforts.”
WHAT IS CYBER DECEPTION?
8
9. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Use deception
techniques to detect
previously unknown
attacks.”
WHAT IS CYBER DECEPTION?
9
10. OUR IDEA
C Y B E R D E C E P T I O N A F T E R D E T E C T I O N
10
11. TEXTBOOKS DICTATE …
• When a compromised PC is discovered, it should be
disconnected from the network to prevent further damages
That is a reasonable and safe practice.
But …
11
12. • Obtaining valuable intelligence
• Adversary’sTTPs, purposes, and intentions
• Denying the adversary to learn from his failure
• Or allows the adversary to learn from his failure, and the adversary may
come back again using more sophisticated tools and techniques
MISSED OPPORTUNITIES
12
13. WE WANT BOTH
• Safety by disconnection
–Preventing further damage
• Intelligence by attack continuation
–Observing adversary’s behavior and getting valuable
information
13
14. OUR IDEA
• Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
CYBER DECEPTION AFTER DETECTION
14
15. DECEPTION
NETWORK
A S A S A F E O B S E R V A T I O N
E N V I R O N M E N T T O P R O T E C T T H E
O P E R A T I O N A L N E T W O R K
15
16. • Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
Isolate the compromised PC
safe
CYBER DECEPTION AFTER DETECTION
16
17. DECEPTION NETWORK (D-NET)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
17
18. DECEPTION NETWORK (D-NET)
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
PC-11PC-12PC-13
Log
Fowarder-1
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Network-1
PC-14
PC-34 PC-33 PC-32
Log
Fowarder-3PC-31
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
Network-0
Network-2
Network-3
Network-4
OpenFlow
Switch-01
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-31
OpenFlow
Switch-41
OpenFlow
Switch-02
OpenFlow
Switch-12
OpenFlow
Switch-22
OpenFlow
Switch-32
OpenFlow
Switch-42
Router-1
• SDN technology
– Transfer control by OpenFlow
18
19. DECEPTION NETWORK (D-NET)
• Safe observation environment
– Delete sensitive information
✓Insert fake information
✓Observe behavior
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
• SDN technology
– Transfer control by OpenFlow
19
21. • Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
CYBER DECEPTION AFTER DETECTION
21
22. CYBER DECEPTION AFTER DETECTION
Continued communication with C2 server
Transferring communication with O-Net
Transferred communication with D-Net
Keeps adversary unaware
22
23. HOW TO MAKE
S P L U N K , RY U , O P E N V S W I T C H ,
N O RT H B O U N D A P I , F L OW TA B L E
23
29. ATTACK TRANSFER MECHANISM
# Open ovs-s-005 from ki201
curl -X POST -d '{"in_port": "1", "dl_src": "00:50:56:a5:20:29", "actions": "PORT2",
"priority": "3300" }' http://10.1.1.2:8080/deception/rules/0000000000000124 |
python -m json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to logfwd005(00:50:56:a5:0d:69) ->
rewrite eth_dst and arp_tha to Shadow-logfwd005(00:50:56:a5:2c:90) and out
PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"00:50:56:a5:0d:69", "arp_tha": "00:50:56:a5:0d:69", "actions": "PORT1",
"set_eth_dst": "00:50:56:a5:2c:90","set_arp_tha": "00:50:56:a5:2c:90", "priority":
"3999"}' http://10.1.1.2:8080/deception/rules/0000000000000224 | python -m
json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005[10.10.22.201](ff:ff:ff:ff:ff:ff) -> out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"ff:ff:ff:ff:ff:ff","arp_tpa": "10.10.22.201", "actions": "PORT1", "priority": "3998"}'
http://10.1.1.2:8080/deception/rules/0000000000000224 | python -m json.tool
# ovs-r-005 ARP from Shadow-logfwd005(00:50:56:a5:2c:90) to
ki201(10.10.22.103) from PORT1 -> rewrite eth_src and arp_sha to
logfwd005(00:50:56:a5:0d:69) and out PORT3
……………
Script to set FlowTable
29
30. • Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
• Match Field: Rule to match against the packet
• Priority: Matching precedence of the flow entry
• Instructions: Set of instructions for the packet
Match Field Priority Instructions
PACKET MANIPULATION BY SDN
30
31. Match Field Priority Instructions
• Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
Port1 Port2 Port3 Port4 Port5 Port6
To 172.127.25.100 To 172.127.25.100
PACKET MANIPULATION BY SDN
OpenFlow Switch
31
32. • Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
If a packet has destination IP address 192.168.10.10
then rewrite the address to 192.168.20.30
and output via port6
Port1 Port2 Port3 Port4 Port5 Port6
To 172.127.25.100To 192.168.10.10 To 192.168.20.30
Highest priority
Instruction is applied
Matches both rules
PACKET MANIPULATION BY SDN
OpenFlow Switch
32
34. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
PACKET REWRITING STRATEGIES
ARP:Address Resolution Protocol
34
35. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
PACKET REWRITING STRATEGIES
ARP:Address Resolution Protocol
35
36. TCP communication: PC-22→PC-21 PC-22→PC21(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Transfer
Rewrite Dst MAC address
Change output port
PC-22 MAC
PC-21shadow MAC
STRATEGY #2
Matched MAC address
Packet from PC-22 to PC-21
PC-21 MAC
PC-22 MAC
36
37. ARP communication: PC21(shadow) →PC-22 PC-21→PC-22
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Rewrite Src MAC address
to PC-21
Change output port
PC-21 IP
PC-22 IP
PC-21 MAC
PC-21 MAC
STRATEGY #2
Matched ARP request for PC-22
PC-21shadow MAC
PC-21 IP
PC-22 IP
PC-21shadow MAC
37
38. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to PC-14
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
Rewrite Dst MAC address
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
STRATEGY #2
38
39. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-14 shadow
To PC-22 via Router-1
Router-1 shadow MAC
PC-22 MACTransfer
Rewrite Src MAC address
To Router-1
Change output port
PC-22 MAC
Router-1 MAC
STRATEGY #2
39
41. PACKET REWRITING STRATEGIES
Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
41
44. EXAMPLE OF SET
FLOW TABLEF I G U R E
A N D
T E X T U A L R E P R E S E N T A T I O N
44
45. FLOW TABLES
Low
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Operational Network (O-Net) Deception Network (D-Net)
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
Initial State
Comm. between
the O-Net and the D-Net
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
45
46. FLOW TABLES
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Operational Network (O-Net) Deception Network (D-Net)
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
ePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
46
48. FLOW TABLES
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
48
50. FLOW TABLES
Low
Initial State
Comm. between
the O-Net and the D-Net
Flow
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from
the Compromised PC-22Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
50
52. EVALUATION
U S I N G T H E S C R I P T O F
P O S T- C O M P R O M I S E A C T I V I T I E S
52
53. EVALUATION
• What: Keep adversary unaware of cyber deception
– Maintaining control of the compromised PC on the O-Net from their C2
server
– Transferring the network activities of the compromised PC from the O-Net
the D-Net
• How: Observation from the adversary’s point of view (i.e. from the
C2 server)
– Created a script of post-compromise activities selected from common
attacks
– Executed the script from the C2 server's console before and after deception
and compared the results
53
54. SCRIPT OF POST-COMPROMISE ACTIVITIES
1. sysinfo : Get System and User information
2. idletime : Get the time interval at which the user did not operate
3. getpid : Get the Process ID used for attack
4. ps : Get the Process List
5. post/windows/gather/enum_services : Get name and configuration info for each returned service
6. getproxy : Get Information about proxy
7. post/windows/gather/credentials/enum_cred _store : Get Credentials of IE
8. post/multi/gather/thunderbird_creds : Get Credentials ofThunderbird
9. ls -lR C:¥¥Users¥¥ : Get File List of the User
10. post/windows/gather/enum_ie : Get Browser history
54
55. SCRIPT OF POST-COMPROMISE ACTIVITIES
11. post/windows/gather/dumplinks2 : Get Files recently used
12. post/windows/gather/enum_applications : Get Application list
13. net user / net localgroup : Get Information about Local account, group and administrator
14. Net share list : Get shared folder Information
15. show_mount : Get the currently attached “mounts”
16. ifconfig : Get Network interface information (MAC address, IP address)
17. arp : Get ARP Table
18. route : Get Routing Table
19. netstat : Get Connection information for each process
20. net use : Get SMB remote connection Information
21. post/windows/recon/computer_browser_disc overy : Get Neighbor Computers
55
56. EVALUATION ENVIRONMENT
• Two servers connected by
switch
– For O-Net, Internet, C2 Server
– For D-Net, Deception
Management Network
Deception Network and
Deception Management Network
(Virtual Machine)
Operational Network,
Internet, C2 Server
(Virtual Machine)
56
57. EVALUATION RESULTS
• The automated attack script produced exactly the same results
before and after deception
• The session between the compromised PC and the C2 server
remained uninterrupted during and after deception
57
58. [*] show_mount
Mounts / Drives
===============
Name Type Size (Total) Size (Free) Mapped to
---- ---- ------------ ----------- ---------
A:¥ removable 0.00 B 0.00 B
C:¥ fixed 31.90 GiB 17.33 GiB
D:¥ remote 0.00 B 0.00 B ¥¥sh201¥share¥
E:¥ cdrom 0.00 B 0.00 B
M:¥ remote 0.00 B 0.00 B ¥¥file¥share¥???¥
Total mounts/drives: 5
ATTACK LOG
58
65. [*] getproxy
Auto-detect : No
Auto config URL : http://www.system.skyblue.test/proxy.pac
Proxy URL :
Proxy Bypass :
ATTACK LOG
65
66. ### SMB Remote Connection
~~~
[*] net use
[+] Net use list
Status Local Remote
------ ----- ------
D: ¥¥sh201¥share
OK M: ¥¥file¥share¥secret
ATTACK LOG
66
67. ### Neighbor Computer(NBT)
~~~
[*] post/windows/recon/computer_browser_discovery
[+] Found 4 systems.
....
[*] Netdiscovery Results
====================
TYPE IP COMPUTER NAME VERSION COMMENT
---- -- ------------- ------- -------
0x11003 10.10.22.102 KG201 6.1
0x11003 10.10.22.104 YM201 6.3
0x31003 10.10.22.103 KI201 6.3
0x51003 10.10.22.101 UN201 6.1
~~~
meterpreter >
ATTACK LOG
67
69. • Objective
– Observe the adversary’s attack safely and covertly through keeping the
adversary unaware of deception
• Technique
– Creating a Deception Network
– Using OpenFlow's FlowTables for manipulating packets
• Evaluation
– The adversary can not observe any difference before, during, and after the
cyber deception
CONCLUSION
69
70. ANY QUESTIONS?
Thank you.
Toru Shimanaka
https://www.facebook.com/ToruShimanaka
https://www.linkedin.com/in/ToruShimanaka
This slide is based on the paper published
@ HICSS-52 (Hawaii International Conference on System Sciences 2019)
http://hdl.handle.net/10125/60166
70