Slide for BSides Sendai 2019

1. C Y B E R D E C E P T I O N A F T E R D E T E C T I O N :
S A F E O B S E R V A T I O N E N V I R O N M E N T
U S I N G S O F T W A R E D E F I N E D N E T W O R K I N G
B S I D E S S E N D A I 2 0 1 9
M A R . 1 6 T H 2 0 1 9
TO R U S H I M A N A K A 1

2. WHO AM I
• 1989 – 1994
– SOFTWARE ENGINER
• DESIGN AND DEVELOPMENT OFWORKSTATION INSTALLATION PROGRAM
• 1994 – 1996
– GRADUATE STUDENT @ JAPAN ADVANCED INSTITUTE OF SCIENCE ANDTECHNOLOGY (JAIST)
• OPTICAL FLOW
• 1997 – 2000
– RESERCHER
• SIMULATION FOR ESTIMATE OF BRAIN PULSE
• 2001 – 2013
– SOFTWARE ENGINEER,FIRMWARE DEVELOPMENT LEADER
• DESIGN AND DEVELOPMENT OF LAYER2 AND LAYER3 SWITCH FIRMWAR
• PROJECT MANAGEMENT OF SOFTWARE DEVELOPMENT
• 2014 –
– CYBER SECURITY RESEARCHER
TORU SHIMANAKA
@ FUJITSU SYSTEM INTEGRATION LABORATORIES
2

3. CYBER
DECEPTIONT H E P L A N N E D A C T I O N S T A K E N T O M I S L E A D
H A C K E R S A N D T O T H E R E B Y C A U S E T H E M T O
T A K E ( O R N O T T A K E ) S P E C I F I C A C T I O N S
T H A T A I D C O M P U T E R - S E C U R I T Y D E F E N S E S
3

4. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
4

5. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Direct an adversary’s attention
from real assets toward bogus
ones.”
5

6. WHAT IS CYBER DECEPTION?
• “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
・・・
・・・
・・・
“Waste an adversary’s time and
energy on obtaining and analyzing
false information.”
6

7. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Cause the adversary to
doubt the veracity of a
discovered vulnerability
or stolen information.”
WHAT IS CYBER DECEPTION?
7

8. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Monitor and analyze
adversary behavior
during intrusion
attempts
to inform future defense
efforts.”
WHAT IS CYBER DECEPTION?
8

9. • “the planned actions taken to mislead hackers and to thereby cause
them to take (or not take) specific actions that aid computer-
security defenses.” (J. J.Yuill, 2006)※1
• Deception Purposes (MITRE, 2015) ※2
– Diversion
– Resource Depletion
– Uncertainty
– Intelligence
– Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles andTechniques.
※2 Cyber Denial, Deception and Counter Deception
“Use deception
techniques to detect
previously unknown
attacks.”
WHAT IS CYBER DECEPTION?
9

10. OUR IDEA
C Y B E R D E C E P T I O N A F T E R D E T E C T I O N
10

11. TEXTBOOKS DICTATE …
• When a compromised PC is discovered, it should be
disconnected from the network to prevent further damages
That is a reasonable and safe practice.
But …
11

12. • Obtaining valuable intelligence
• Adversary’sTTPs, purposes, and intentions
• Denying the adversary to learn from his failure
• Or allows the adversary to learn from his failure, and the adversary may
come back again using more sophisticated tools and techniques
MISSED OPPORTUNITIES
12

13. WE WANT BOTH
• Safety by disconnection
–Preventing further damage
• Intelligence by attack continuation
–Observing adversary’s behavior and getting valuable
information
13

14. OUR IDEA
• Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
CYBER DECEPTION AFTER DETECTION
14

15. DECEPTION
NETWORK
A S A S A F E O B S E R V A T I O N
E N V I R O N M E N T T O P R O T E C T T H E
O P E R A T I O N A L N E T W O R K
15

16. • Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
Isolate the compromised PC
safe
CYBER DECEPTION AFTER DETECTION
16

17. DECEPTION NETWORK (D-NET)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
17

18. DECEPTION NETWORK (D-NET)
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
PC-11PC-12PC-13
Log
Fowarder-1
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Network-1
PC-14
PC-34 PC-33 PC-32
Log
Fowarder-3PC-31
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
Network-0
Network-2
Network-3
Network-4
OpenFlow
Switch-01
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-31
OpenFlow
Switch-41
OpenFlow
Switch-02
OpenFlow
Switch-12
OpenFlow
Switch-22
OpenFlow
Switch-32
OpenFlow
Switch-42
Router-1
• SDN technology
– Transfer control by OpenFlow
18

19. DECEPTION NETWORK (D-NET)
• Safe observation environment
– Delete sensitive information
✓Insert fake information
✓Observe behavior
• Configured identically to O-Net
– Same network topology
– Hosts with same hostnames
& ip addresses
(except MAC addresses)
• SDN technology
– Transfer control by OpenFlow
19

20. SOFTWARE
CONTROLLED
PACKET
TRANSFER
K E E P T H E A D V E R S A R Y U N A W A R E O F
D E C E P T I O N
20

21. • Prepare a “Deception Network” as a safe observation
environment
• Switch communications between the compromised PC and
the Operational Network to the Deception Network
• Let communication between the compromised PC and the
C2 server continue
CYBER DECEPTION AFTER DETECTION
21

22. CYBER DECEPTION AFTER DETECTION
Continued communication with C2 server
Transferring communication with O-Net
Transferred communication with D-Net
Keeps adversary unaware
22

23. HOW TO MAKE
S P L U N K , RY U , O P E N V S W I T C H ,
N O RT H B O U N D A P I , F L OW TA B L E
23

24. ATTACK TRANSFER MECHANISM
24

25. ATTACK TRANSFER MECHANISM
Detect a compromise
[out of scope of this paper]
25

26. ATTACK TRANSFER MECHANISM{
"networks": [
{
"deception_node_sw": "ovs-s-002",
"deception_node_sw_id": "0000000000000121",
"hosts": [
{
"deception_mac_address": "00:50:56:a5:43:83",
"ip_address": "10.10.10.201",
"mac_address":"00:50:56:a5:34:32",
"name": "logfwd002",
"net_mask": "255.255.255.0",
"status": "normal",
"sw_port": "2"
},
{
"deception_mac_address": "00:50:56:a5:66:9a",
"ip_address": "10.10.10.10",
"mac_address":"00:50:56:a5:0c:72",
"name": "AD",
"net_mask": "255.255.255.0",
"status": "normal",
"sw_port": "3"
},
{
"deception_mac_address": "00:50:56:a5:ba:0f",
"ip_address": "10.10.10.20",
……………….
config.json
26

27. ATTACK TRANSFER MECHANISM
$ poffvmbyip.sh shadow 10.10.22.103 config.json
27

28. ATTACK TRANSFER MECHANISM
$ python ./mkdeceptflow-group.py 10.10.22.103 config .json >
tmp_deception.sh
28

29. ATTACK TRANSFER MECHANISM
# Open ovs-s-005 from ki201
curl -X POST -d '{"in_port": "1", "dl_src": "00:50:56:a5:20:29", "actions": "PORT2",
"priority": "3300" }' http://10.1.1.2:8080/deception/rules/0000000000000124 |
python -m json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to logfwd005(00:50:56:a5:0d:69) ->
rewrite eth_dst and arp_tha to Shadow-logfwd005(00:50:56:a5:2c:90) and out
PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"00:50:56:a5:0d:69", "arp_tha": "00:50:56:a5:0d:69", "actions": "PORT1",
"set_eth_dst": "00:50:56:a5:2c:90","set_arp_tha": "00:50:56:a5:2c:90", "priority":
"3999"}' http://10.1.1.2:8080/deception/rules/0000000000000224 | python -m
json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005[10.10.22.201](ff:ff:ff:ff:ff:ff) -> out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"ff:ff:ff:ff:ff:ff","arp_tpa": "10.10.22.201", "actions": "PORT1", "priority": "3998"}'
http://10.1.1.2:8080/deception/rules/0000000000000224 | python -m json.tool
# ovs-r-005 ARP from Shadow-logfwd005(00:50:56:a5:2c:90) to
ki201(10.10.22.103) from PORT1 -> rewrite eth_src and arp_sha to
logfwd005(00:50:56:a5:0d:69) and out PORT3
……………
Script to set FlowTable
29

30. • Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
• Match Field: Rule to match against the packet
• Priority: Matching precedence of the flow entry
• Instructions: Set of instructions for the packet
Match Field Priority Instructions
PACKET MANIPULATION BY SDN
30

31. Match Field Priority Instructions
• Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
Port1 Port2 Port3 Port4 Port5 Port6
To 172.127.25.100 To 172.127.25.100
PACKET MANIPULATION BY SDN
OpenFlow Switch
31

32. • Using OpenFlow “Flow Table”
–Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
If a packet has destination IP address 192.168.10.10
then rewrite the address to 192.168.20.30
and output via port6
Port1 Port2 Port3 Port4 Port5 Port6
To 172.127.25.100To 192.168.10.10 To 192.168.20.30
Highest priority
Instruction is applied
Matches both rules
PACKET MANIPULATION BY SDN
OpenFlow Switch
32

33. PACKET
REWRITING
S T R U C T U R E O F T H E F L OW TA B L E S
33

34. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
PACKET REWRITING STRATEGIES
ARP:Address Resolution Protocol
34

35. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
PACKET REWRITING STRATEGIES
ARP:Address Resolution Protocol
35

36. TCP communication: PC-22→PC-21 PC-22→PC21(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Transfer
Rewrite Dst MAC address
Change output port
PC-22 MAC
PC-21shadow MAC
STRATEGY #2
Matched MAC address
Packet from PC-22 to PC-21
PC-21 MAC
PC-22 MAC
36

37. ARP communication: PC21(shadow) →PC-22 PC-21→PC-22
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Rewrite Src MAC address
to PC-21
Change output port
PC-2１ IP
PC-22 IP
PC-2１ MAC
PC-2１ MAC
STRATEGY #2
Matched ARP request for PC-22
PC-2１shadow MAC
PC-2１ IP
PC-22 IP
PC-2１shadow MAC
37

38. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to PC-14
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
Rewrite Dst MAC address
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
STRATEGY #2
38

39. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-14 shadow
To PC-22 via Router-1
Router-1 shadow MAC
PC-22 MACTransfer
Rewrite Src MAC address
To Router-1
Change output port
PC-22 MAC
Router-1 MAC
STRATEGY #2
39

40. PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to C2 Server
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
Rewrite Dst MAC address
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
STRATEGY #2
TCP communication: PC-22→C2 server continue
40

41. PACKET REWRITING STRATEGIES
Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
41

42. STRATEGY #3
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to PC-14
via Router-1
Rouer-1 MAC
PC-22 MAC
Intra-net address
Transfer
Rewrite Dst MAC address
To Router-1 shadow
Change output port
PC-22 MAC
Intra-net address
Router-1 shadow MAC
TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
42

43. STRATEGY #3
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Unmatched packet
To Internet Network address
TCP communication: PC-22→C2 server continue
Matched MAC address
Packet from PC-22 to PC-14
via Router-1
Rouer-1 MAC
PC-22 MAC
Internet address
43

44. EXAMPLE OF SET
FLOW TABLEF I G U R E
A N D
T E X T U A L R E P R E S E N T A T I O N
44

45. FLOW TABLES
Low
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Operational Network (O-Net) Deception Network (D-Net)
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
Initial State
Comm. between
the O-Net and the D-Net
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
45

46. FLOW TABLES
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Operational Network (O-Net) Deception Network (D-Net)
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
ePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
46

47. "arp_tha": "00:50:56:a5:0d:69",
"dl_dst": "00:50:56:a5:0d:69",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "ARP",
"priority": 3999,
"rule_id": 60
},
{
"actions": [
"SET_FIELD:{eth_dst:00:50:56:a5:44:b3}",
"SET_FIELD:{arp_tha:00:50:56:a5:44:b3}",
"OUTPUT:1"
],
"arp_tha": "00:50:56:a5:61:6c",
"dl_dst": "00:50:56:a5:61:6c",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "ARP",
"priority": 3999,
"rule_id": 65
},
{
"actions": [
"SET_FIELD:{eth_dst:00:50:56:a5:07:aa}",
"SET_FIELD:{arp_tha:00:50:56:a5:07:aa}",
"OUTPUT:1"
],
"arp_tha": "00:50:56:a5:04:e7",
"dl_dst": "00:50:56:a5:04:e7",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "ARP",
"priority": 3999,
"rule_id": 70
},
{
"actions": [
"SET_FIELD:{eth_dst:00:50:56:a5:35:c3}",
FLOW TABLES
47

48. FLOW TABLES
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
48

49. "SET_FIELD:{eth_dst:00:50:56:a5:35:c3}",
"OUTPUT:1"
],
"dl_dst": "00:50:56:a5:2c:a7",
"dl_src": "00:50:56:a5:20:29",
"priority": 3996,
"rule_id": 78
},
{
"actions": [
"SET_FIELD:{eth_dst:00:50:56:a5:d5:e0}",
"OUTPUT:1"
],
"dl_dst": "00:50:56:a5:d8:8d",
"dl_src": "00:50:56:a5:20:29",
"priority": 3996,
"rule_id": 83
},
{
"actions": [
"SET_FIELD:{eth_src:00:50:56:a5:0d:69}",
"OUTPUT:6"
],
"dl_dst": "00:50:56:a5:20:29",
"dl_src": "00:50:56:a5:2c:90",
"in_port": 1,
"priority": 3995,
"rule_id": 64
},
{
"actions": [
"SET_FIELD:{eth_src:00:50:56:a5:61:6c}",
"OUTPUT:6"
],
"dl_dst": "00:50:56:a5:20:29",
FLOW TABLES
49

50. FLOW TABLES
Low
Initial State
Comm. between
the O-Net and the D-Net
Flow
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from
the Compromised PC-22Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
50

51. ],
"arp_tpa": "10.10.22.1",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "ARP",
"priority": 3994,
"rule_id": 85
},
{
"actions": [
"SET_FIELD:{eth_dst:00:50:56:a5:47:e4}",
"OUTPUT:1"
],
"dl_dst": "00:50:56:a5:72:73",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "IPv4",
"nw_dst": "10.10.0.0/255.255.0.0",
"priority": 3991,
"rule_id": 87
},
{
"actions": [],
"in_port": 1,
"priority": 3000,
"rule_id": 59
}
]
}
],
"switch_id": "0000000000000224"
}
]
[
{
"access_control_list": [
FLOW TABLES
51

52. EVALUATION
U S I N G T H E S C R I P T O F
P O S T- C O M P R O M I S E A C T I V I T I E S
52

53. EVALUATION
• What: Keep adversary unaware of cyber deception
– Maintaining control of the compromised PC on the O-Net from their C2
server
– Transferring the network activities of the compromised PC from the O-Net
the D-Net
• How: Observation from the adversary’s point of view (i.e. from the
C2 server)
– Created a script of post-compromise activities selected from common
attacks
– Executed the script from the C2 server's console before and after deception
and compared the results
53

54. SCRIPT OF POST-COMPROMISE ACTIVITIES
1. sysinfo : Get System and User information
2. idletime : Get the time interval at which the user did not operate
3. getpid : Get the Process ID used for attack
4. ps : Get the Process List
5. post/windows/gather/enum_services : Get name and configuration info for each returned service
6. getproxy : Get Information about proxy
7. post/windows/gather/credentials/enum_cred _store : Get Credentials of IE
8. post/multi/gather/thunderbird_creds : Get Credentials ofThunderbird
9. ls -lR C:¥¥Users¥¥ : Get File List of the User
10. post/windows/gather/enum_ie : Get Browser history
54

55. SCRIPT OF POST-COMPROMISE ACTIVITIES
11. post/windows/gather/dumplinks2 : Get Files recently used
12. post/windows/gather/enum_applications : Get Application list
13. net user / net localgroup : Get Information about Local account, group and administrator
14. Net share list : Get shared folder Information
15. show_mount : Get the currently attached “mounts”
16. ifconfig : Get Network interface information (MAC address, IP address)
17. arp : Get ARP Table
18. route : Get Routing Table
19. netstat : Get Connection information for each process
20. net use : Get SMB remote connection Information
21. post/windows/recon/computer_browser_disc overy : Get Neighbor Computers
55

56. EVALUATION ENVIRONMENT
• Two servers connected by
switch
– For O-Net, Internet, C2 Server
– For D-Net, Deception
Management Network
Deception Network and
Deception Management Network
(Virtual Machine)
Operational Network,
Internet, C2 Server
(Virtual Machine)
56

57. EVALUATION RESULTS
• The automated attack script produced exactly the same results
before and after deception
• The session between the compromised PC and the C2 server
remained uninterrupted during and after deception
57

58. [*] show_mount
Mounts / Drives
===============
Name Type Size (Total) Size (Free) Mapped to
---- ---- ------------ ----------- ---------
A:¥ removable 0.00 B 0.00 B
C:¥ fixed 31.90 GiB 17.33 GiB
D:¥ remote 0.00 B 0.00 B ¥¥sh201¥share¥
E:¥ cdrom 0.00 B 0.00 B
M:¥ remote 0.00 B 0.00 B ¥¥file¥share¥???¥
Total mounts/drives: 5
ATTACK LOG
58

59. ATTACK LOG
[*] ifconfig
Interface 12
============
Name : vmxnet3 Ethernet Adapter
Hardware MAC : 00:50:56:a5:04:e7
MTU : 1500
IPv4 Address : 10.10.22.102
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::84f4:5832:cee4:1469
IPv6 Netmask : ffff:ffff:ffff:ffff::
59

60. [*] arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
10.10.22.1 00:50:56:a5:72:73 12
10.10.22.101 00:50:56:a5:61:6c 12
10.10.22.103 00:50:56:a5:20:29 12
10.10.22.104 00:50:56:a5:2c:a7 12
10.10.22.201 00:50:56:a5:0d:69 12
10.10.22.255 ff:ff:ff:ff:ff:ff 12
224.0.0.22 00:00:00:00:00:00 1
224.0.0.22 01:00:5e:00:00:16 12
224.0.0.252 01:00:5e:00:00:fc 12
239.255.255.250 00:00:00:00:00:00 1
239.255.255.250 01:00:5e:7f:ff:fa 12
255.255.255.255 ff:ff:ff:ff:ff:ff 12
ATTACK LOG
60

61. [*] route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 10.10.22.1 5 12
10.10.22.0 255.255.255.0 10.10.22.102 261 12
10.10.22.102 255.255.255.255 10.10.22.102 261 12
10.10.22.255 255.255.255.255 10.10.22.102 261 12
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 10.10.22.102 261 12
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 10.10.22.102 261 12
No IPv6 routes were found.
ATTACK LOG
61

62. [*] netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 684/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:5357 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:8089 0.0.0.0:* LISTEN 0 0 1476/splunkd.exe
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 392/wininit.exe
tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 772/svchost.exe
tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 856/svchost.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 508/lsass.exe
tcp 0.0.0.0:49170 0.0.0.0:* LISTEN 0 0 500/services.exe
tcp 10.10.22.102:139 0.0.0.0:* LISTEN 0 0 4/System
tcp 10.10.22.102:49227 10.10.22.201:9997 ESTABLISHED 0 0 1476/splunkd.exe
tcp 10.10.22.102:49230 10.10.10.10:49155 ESTABLISHED 0 0 2576/splunk-winevtlog.exe
tcp 10.10.22.102:49251 10.10.22.201:9997 TIME_WAIT 0 0 0/[System Process]
ATTACK LOG
62

63. tcp 10.10.22.102:49252 10.10.22.201:8089 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49253 10.10.22.101:139 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49254 10.10.22.101:139 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49255 10.10.22.201:9997 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49256 10.10.22.201:9997 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49257 10.10.10.30:80 CLOSE_WAIT 0 0 2744/powershell.exe
tcp 10.10.22.102:49260 172.16.0.10:443 ESTABLISHED 0 0 2744/powershell.exe
tcp 10.10.22.102:49261 10.10.22.201:9997 TIME_WAIT 0 0 0/[System Process]
tcp 10.10.22.102:49263 10.10.10.60:445 ESTABLISHED 0 0 4/System
tcp6 :::135 :::* LISTEN 0 0 684/svchost.exe
tcp6 :::445 :::* LISTEN 0 0 4/System
tcp6 :::5357 :::* LISTEN 0 0 4/System
tcp6 :::49152 :::* LISTEN 0 0 392/wininit.exe
tcp6 :::49153 :::* LISTEN 0 0 772/svchost.exe
tcp6 :::49154 :::* LISTEN 0 0 856/svchost.exe
tcp6 :::49155 :::* LISTEN 0 0 508/lsass.exe
tcp6 :::49170 :::* LISTEN 0 0 500/services.exe
udp 0.0.0.0:123 0.0.0.0:* 0 0 968/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1184/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1184/svchost.exe
ATTACK LOG
63

64. udp 0.0.0.0:5355 0.0.0.0:* 0 0 332/svchost.exe
udp 0.0.0.0:51205 0.0.0.0:* 0 0 1184/svchost.exe
udp 0.0.0.0:52092 0.0.0.0:* 0 0 1352/ossec-agent.exe
udp 0.0.0.0:54628 0.0.0.0:* 0 0 1220/intercepter.exe
udp 10.10.22.102:137 0.0.0.0:* 0 0 4/System
udp 10.10.22.102:138 0.0.0.0:* 0 0 4/System
udp 127.0.0.1:56398 0.0.0.0:* 0 0 508/lsass.exe
udp 127.0.0.1:56400 0.0.0.0:* 0 0 332/svchost.exe
udp 127.0.0.1:59787 0.0.0.0:* 0 0 856/svchost.exe
udp 127.0.0.1:65485 0.0.0.0:* 0 0 1728/WmiPrvSE.exe
udp6 :::123 :::* 0 0 968/svchost.exe
udp6 :::3702 :::* 0 0 1184/svchost.exe
udp6 :::3702 :::* 0 0 1184/svchost.exe
udp6 :::5355 :::* 0 0 332/svchost.exe
udp6 :::51206 :::* 0 0 1184/svchost.exe
ATTACK LOG
64

65. [*] getproxy
Auto-detect : No
Auto config URL : http://www.system.skyblue.test/proxy.pac
Proxy URL :
Proxy Bypass :
ATTACK LOG
65

66. ### SMB Remote Connection
~~~
[*] net use
[+] Net use list
Status Local Remote
------ ----- ------
D: ¥¥sh201¥share
OK M: ¥¥file¥share¥secret
ATTACK LOG
66

67. ### Neighbor Computer(NBT)
~~~
[*] post/windows/recon/computer_browser_discovery
[+] Found 4 systems.
....
[*] Netdiscovery Results
====================
TYPE IP COMPUTER NAME VERSION COMMENT
---- -- ------------- ------- -------
0x11003 10.10.22.102 KG201 6.1
0x11003 10.10.22.104 YM201 6.3
0x31003 10.10.22.103 KI201 6.3
0x51003 10.10.22.101 UN201 6.1
~~~
meterpreter >
ATTACK LOG
67

68. YOU ARE
ALMOST THERE!
D O N ’ T G I V E U P !
68

69. • Objective
– Observe the adversary’s attack safely and covertly through keeping the
adversary unaware of deception
• Technique
– Creating a Deception Network
– Using OpenFlow's FlowTables for manipulating packets
• Evaluation
– The adversary can not observe any difference before, during, and after the
cyber deception
CONCLUSION
69

70. ANY QUESTIONS?
Thank you.
Toru Shimanaka
https://www.facebook.com/ToruShimanaka
https://www.linkedin.com/in/ToruShimanaka
This slide is based on the paper published
@ HICSS-52 (Hawaii International Conference on System Sciences 2019)
http://hdl.handle.net/10125/60166
70