Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach

Toru Shimanaka & Ryusuke Masuoka
Fujitsu System Integration Laboratories
Brian Hay
Hume Center, Virginia Tech
Cyber Deception Architecture:
Covert Attack Reconnaissance
Using a Safe SDN Approach
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED0

Textbooks dictate …
When a compromised PC is discovered, it should be
disconnected from the network to prevent further damages
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
That is a reasonable and safe practice.
But …
1

Obtaining valuable intelligence
• Adversary’s TTPs, purposes, and intentions
Denying the adversary to learn from his failure
• Or allows the adversary to learn from his failure, and the adversary may
come back again using more sophisticated tools and techniques
Missed opportunities
2

We want both
Safety by disconnection
Preventing further damage
Intelligence by attack continuation
Observing adversary’s behavior and getting valuable information

Our idea
 Prepare a “Deception Network” as a safe observation
environment
 Switch communications between the compromised PC and
the Operational Network to the Deception Network
 Let communication between the compromised PC and the
C2 server continue
4

Our idea
environment
C2 server continue
Cyber deception after detection
5

What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception

Diversion
Uncertainty
Intelligence
Proactivity
“Direct an adversary’s
attention from real assets
toward bogus ones.”
7

Diversion
Uncertainty
Intelligence
Proactivity
・・・
・・・
・・・
“Waste an adversary’s time
and energy on obtaining and
analyzing false information.”
8

Diversion
Uncertainty
Intelligence
Proactivity
“Cause the adversary to
doubt the veracity of a
discovered vulnerability
or stolen information.”
9

Diversion
Uncertainty
Intelligence
Proactivity
“Monitor and analyze
adversary behavior
during intrusion
attempts
to inform future
defense efforts.”
10

Diversion
Uncertainty
Intelligence
Proactivity
“Use deception
techniques to detect
previously unknown
attacks.”
11

Our idea
environment to protect the Operational network
C2 server continue
Isolate the compromised PC
safe
12

Deception Network (D-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
 Configured identically to O-Net
 Same network topology
 Hosts with same hostnames
& ip addresses
(except MAC addresses)
13

Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
& ip addresses
 SDN technology
 Transfer control by OpenFlow
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
PC-11PC-12PC-13
Log
Fowarder-1
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Network-1
PC-14
PC-34 PC-33 PC-32
Log
Fowarder-3PC-31
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
Network-0
Network-2
Network-3
Network-4
OpenFlow
Switch-01
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-31
OpenFlow
Switch-41
OpenFlow
Switch-02
OpenFlow
Switch-12
OpenFlow
Switch-22
OpenFlow
Switch-32
OpenFlow
Switch-42
Router-1
14

& ip addresses
 SDN technology
 Transfer control by OpenFlow
 Safe observation environment
 Delete sensitive information
 Insert fake information
 Observe behavior
15

 Prepare a “Deception Network” as a safe environment to
protect the Operational network
the O-Net to the D-Net
C2 server continue
Our idea
16

Continued communication with C2 server
Transferring communication with O-Net
Transferred communication with D-Net
Our idea
17

Attack Transfer Mechanism

Detect a compromise
[out of scope of this paper]
19

{
"networks": [
{
"deception_node_sw": "ovs-s-002",
"deception_node_sw_id": "0000000000000121",
"hosts": [
{
"deception_mac_address": "00:50:56:a5:43:83",
"ip_address": "10.10.10.201",
"mac_address": "00:50:56:a5:34:32",
"name": "logfwd002",
"net_mask": "255.255.255.0",
"status": "normal",
"sw_port": "2"
},
{
"deception_mac_address": "00:50:56:a5:66:9a",
"ip_address": "10.10.10.10",
"mac_address": "00:50:56:a5:0c:72",
"name": "AD",
"net_mask": "255.255.255.0",
"status": "normal",
"sw_port": "3"
},
{
"deception_mac_address": "00:50:56:a5:ba:0f",
"ip_address": "10.10.10.20",
……………….
config.json
20

$ poffvmbyip.sh shadow 10.10.22.103 config.json
21

$ python ./mkdeceptflow-group.py 10.10.22.103 config .json >
tmp_deception.sh
22

# Open ovs-s-005 from ki201
curl -X POST -d '{"in_port": "1", "dl_src": "00:50:56:a5:20:29", "actions":
"PORT2", "priority": "3300" }'
http://10.1.1.2:8080/deception/rules/0000000000000124 | python -m
json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005(00:50:56:a5:0d:69) -> rewrite eth_dst and arp_tha to Shadow-
logfwd005(00:50:56:a5:2c:90) and out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"00:50:56:a5:0d:69", "arp_tha": "00:50:56:a5:0d:69", "actions": "PORT1",
"set_eth_dst": "00:50:56:a5:2c:90","set_arp_tha": "00:50:56:a5:2c:90",
"priority": "3999"}' http://10.1.1.2:8080/deception/rules/0000000000000224 |
python -m json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005[10.10.22.201](ff:ff:ff:ff:ff:ff) -> out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"ff:ff:ff:ff:ff:ff", "arp_tpa": "10.10.22.201", "actions": "PORT1", "priority":
"3998"}' http://10.1.1.2:8080/deception/rules/0000000000000224 | python -
m json.tool
# ovs-r-005 ARP from Shadow-logfwd005(00:50:56:a5:2c:90) to
ki201(10.10.22.103) from PORT1 -> rewrite eth_src and arp_sha to
logfwd005(00:50:56:a5:0d:69) and out PORT3
……………
Script to set FlowTable
23

Packet Manipulation
Using OpenFlow “Flow Table”
Flow Table consists of Flow entries
• Match Field: Rule to match against the packet
• Priority: Matching precedence of the ﬂow entry
• Instructions: Set of instructions for the packet
Match Field Priority Counters Instructions Timeouts CookieMatch Field Priority Counters Instructions Timeouts Cookie

Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
If a packet has destination IP address 192.168.10.10
then rewrite the address to 192.168.20.30
and output via port6
Port1 Port2 Port3 Port4 Port5 Port6
Packet Manipulation by SDN
OpenFlow Switch
port3 and port4
25

port3 and port4
192.168.20.30
output:6
To 172.127.25.100 To 172.127.25.100
OpenFlow Switch
26

port3 and port4
192.168.20.30
output:6
To 192.168.10.10 To 192.168.20.30
Highest priority
Instruction is applied
Matches both rules
OpenFlow Switch
27

Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
Packet rewriting strategies
ARP: Address Resolution Protocol
28

#3 strategy #2
+
ARP: Address Resolution Protocol
29

TCP communication: PC-22→PC-21 PC-22→PC21(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Transfer
Rewrite Dst MAC address
Change output port
PC-22 MAC
PC-21shadow MAC
Strategy #2
Matched MAC address
Packet from PC-22 to PC-21
PC-21 MAC
PC-22 MAC
30

ARP communication: PC21(shadow) →PC-22 PC-21→PC-22
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Rewrite Src MAC address
to PC-21
Change output port
PC-2１ IP
PC-22 IP
PC-2１ MAC
PC-2１ MAC
Strategy #2
Matched ARP request for PC-22
PC-2１shadow MAC
PC-2１ IP
PC-22 IP
PC-2１shadow MAC
31

PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
Strategy #2
32

PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-14 shadow
To PC-22 via Router-1
Router-1 shadow MAC
PC-22 MAC
Transfer
Rewrite Src MAC address
To Router-1
Change output port
PC-22 MAC
Router-1 MAC
Strategy #2
33

PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to C2 Server
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
Strategy #2
TCP communication: PC-22→C2 server continue
34

#3 strategy #2
+
35

Strategy #3
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
via Router-1
Rouer-1 MAC
PC-22 MAC
Intra-net address
Transfer
To Router-1 shadow
Change output port
PC-22 MAC
Intra-net address
Router-1 shadow MAC
36

Strategy #3
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Unmatched packet
To Internet Network address
TCP communication: PC-22→C2 server continue
Matched MAC address
via Router-1
Rouer-1 MAC
PC-22 MAC
Internet address
37

Flow Tables
Low
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
Initial State
Comm. between
the O-Net and the D-Net
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Reply to PC-22
ARP Reply to PC-22
ARP Reply to PC-22
ARP to
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
Forward Port in Group Flooding packet
38

Flow Tables
[
{
"access_control_list": [
{
"rules": [
{
"actions": [
"SET_FIELD: {eth_dst:00:50:56:a5:47:e4}",
"SET_FIELD: {arp_tha:00:50:56:a5:47:e4}",
"OUTPUT:2"
],
"arp_tha": "00:50:56:a5:72:73",
"dl_dst": "00:50:56:a5:72:73",
"dl_src": "00:50:56:a5:20:29",
"dl_type": "ARP",
"priority": 3992,
"rule_id": 8
},
{
"actions": [
"OUTPUT:2"
],
"dl_src": "00:50:56:a5:20:29",
"in_port": 1,
"priority": 3300,
"rule_id": 7
},
39

Evaluation
What: Keep adversary unaware of cyber deception
Maintaining control of the compromised PC on the O-Net from their C2
server
Transferring the network activities of the compromised PC from the O-Net
the D-Net
How: Observation from the adversary’s point of view (i.e. from the
C2 server)
Created a script of post-compromise activities selected from common attacks
Executed the script from the C2 server's console before and after deception
and compared the results

Script of post-compromise activities
1) sysinfo : Get System and User information
2) idletime : Get the time interval at which the user did not operate
3) getpid : Get the Process ID used for attack
4) ps : Get the Process List
5) post/windows/gather/enum_services : Get name and configuration info for
each returned service
6) getproxy : Get Information about proxy
7) post/windows/gather/credentials/enum_cred _store : Get Credentials of IE
8) post/multi/gather/thunderbird_creds : Get Credentials of Thunderbird
9) ls -lR C:¥¥Users¥¥ : Get File List of the User
10) post/windows/gather/enum_ie : Get Browser history
41

Script of post-compromise activities
11) post/windows/gather/dumplinks2 : Get Files recently used
12) post/windows/gather/enum_applications : Get Application list
13) net user / net localgroup : Get Information about Local account, group
and administrator
14) Net share list : Get shared folder Information
15) show_mount : Get the currently attached “mounts”
16) ifconfig : Get Network interface information (MAC address, IP address)
17) arp : Get ARP Table
18) route : Get Routing Table
19) netstat : Get Connection information for each process
20) net use : Get SMB remote connection Information
21) post/windows/recon/computer_browser_disc overy : Get Neighbor
Computers
42

Evaluation environment
Two servers connected by
switch
For O-Net, Internet, C2 Server
For D-Net, Deception Management
Network
Deception Network and
Deception Management Network
(Virtual Machine)
Operational Network,
Internet, C2 Server
(Virtual Machine)

Evaluation results
The automated attack script produced exactly the same results
before and after deception
The session between the compromised PC and the C2 server
remained uninterrupted during and after deception

[*] show_mount
Mounts / Drives
===============
Name Type Size (Total) Size (Free) Mapped to
---- ---- ------------ ----------- ---------
A:¥ removable 0.00 B 0.00 B
C:¥ fixed 31.90 GiB 17.33 GiB
D:¥ remote 0.00 B 0.00 B ¥¥sh201¥share¥
E:¥ cdrom 0.00 B 0.00 B
M:¥ remote 0.00 B 0.00 B ¥¥file¥share¥???¥
Total mounts/drives: 5
Attack log

Attack log
[*] ifconfig
Interface 12
============
Name : vmxnet3 Ethernet Adapter
Hardware MAC : 00:50:56:a5:04:e7
MTU : 1500
IPv4 Address : 10.10.22.102
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::84f4:5832:cee4:1469
IPv6 Netmask : ffff:ffff:ffff:ffff::

[*] arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
10.10.22.1 00:50:56:a5:72:73 12
10.10.22.101 00:50:56:a5:61:6c 12
10.10.22.103 00:50:56:a5:20:29 12
10.10.22.104 00:50:56:a5:2c:a7 12
10.10.22.201 00:50:56:a5:0d:69 12
10.10.22.255 ff:ff:ff:ff:ff:ff 12
224.0.0.22 00:00:00:00:00:00 1
224.0.0.22 01:00:5e:00:00:16 12
224.0.0.252 01:00:5e:00:00:fc 12
239.255.255.250 00:00:00:00:00:00 1
239.255.255.250 01:00:5e:7f:ff:fa 12
255.255.255.255 ff:ff:ff:ff:ff:ff 12
Attack log

[*] route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 10.10.22.1 5 12
10.10.22.0 255.255.255.0 10.10.22.102 261 12
10.10.22.102 255.255.255.255 10.10.22.102 261 12
10.10.22.255 255.255.255.255 10.10.22.102 261 12
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 10.10.22.102 261 12
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 10.10.22.102 261 12
No IPv6 routes were found.
Attack log

[*] netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 684/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:8089 0.0.0.0:* LISTEN 0 0 1476/splunkd.exe
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 392/wininit.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 508/lsass.exe
tcp 0.0.0.0:49170 0.0.0.0:* LISTEN 0 0 500/services.exe
tcp 10.10.22.102:49227 10.10.22.201:9997 ESTABLISHED 0 0 1476/splunkd.exe
tcp 10.10.22.102:49230 10.10.10.10:49155 ESTABLISHED 0 0 2576/splunk-winevtlog.exe
tcp 10.10.22.102:49251 10.10.22.201:9997 TIME_WAIT 0 0 0/[System Process]
Attack log

tcp 10.10.22.102:49257 10.10.10.30:80 CLOSE_WAIT 0 0 2744/powershell.exe
tcp 10.10.22.102:49260 172.16.0.10:443 ESTABLISHED 0 0 2744/powershell.exe
tcp 10.10.22.102:49263 10.10.10.60:445 ESTABLISHED 0 0 4/System
tcp6 :::135 :::* LISTEN 0 0 684/svchost.exe
tcp6 :::445 :::* LISTEN 0 0 4/System
tcp6 :::5357 :::* LISTEN 0 0 4/System
tcp6 :::49152 :::* LISTEN 0 0 392/wininit.exe
tcp6 :::49155 :::* LISTEN 0 0 508/lsass.exe
tcp6 :::49170 :::* LISTEN 0 0 500/services.exe
udp 0.0.0.0:123 0.0.0.0:* 0 0 968/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1184/svchost.exe
udp 0.0.0.0:3702 0.0.0.0:* 0 0 1184/svchost.exe
Attack log

udp 0.0.0.0:5355 0.0.0.0:* 0 0 332/svchost.exe
udp 0.0.0.0:51205 0.0.0.0:* 0 0 1184/svchost.exe
udp 0.0.0.0:52092 0.0.0.0:* 0 0 1352/ossec-agent.exe
udp 0.0.0.0:54628 0.0.0.0:* 0 0 1220/intercepter.exe
udp 10.10.22.102:137 0.0.0.0:* 0 0 4/System
udp 10.10.22.102:138 0.0.0.0:* 0 0 4/System
udp 127.0.0.1:56398 0.0.0.0:* 0 0 508/lsass.exe
udp 127.0.0.1:56400 0.0.0.0:* 0 0 332/svchost.exe
udp 127.0.0.1:59787 0.0.0.0:* 0 0 856/svchost.exe
udp 127.0.0.1:65485 0.0.0.0:* 0 0 1728/WmiPrvSE.exe
udp6 :::123 :::* 0 0 968/svchost.exe
udp6 :::3702 :::* 0 0 1184/svchost.exe
udp6 :::3702 :::* 0 0 1184/svchost.exe
udp6 :::5355 :::* 0 0 332/svchost.exe
udp6 :::51206 :::* 0 0 1184/svchost.exe
Attack log

[*] getproxy
Auto-detect : No
Auto config URL : http://www.system.skyblue.test/proxy.pac
Proxy URL :
Proxy Bypass :
Attack log

### SMB Remote Connection
~~~
[*] net use
[+] Net use list
Status Local Remote
------ ----- ------
D: ¥¥sh201¥share
OK M: ¥¥file¥share¥secret
Attack log

### Neighbor Computer(NBT)
~~~
[*] post/windows/recon/computer_browser_discovery
[+] Found 4 systems.
....
[*] Netdiscovery Results
====================
TYPE IP COMPUTER NAME VERSION COMMENT
---- -- ------------- ------- -------
0x11003 10.10.22.102 KG201 6.1
0x11003 10.10.22.104 YM201 6.3
0x31003 10.10.22.103 KI201 6.3
0x51003 10.10.22.101 UN201 6.1
~~~
meterpreter >
Attack log

Conclusion
Objective
Observe the adversary’s attack safely and covertly through keeping the
adversary unaware of deception
Technique
Creating a Deception Network
Using OpenFlow's Flow Tables for manipulating packets
Evaluation
The adversary can not observe any difference before, during, and after the
cyber deception

Future research
Cyber deception architecture for IPv6
Realism of Deception Network
Content continuity before and after deception

Any Questions?
Thank you.
Toru Shimanaka
shimanaka.tohru@fujitsu.com
57

Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach

Similar to Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach (20)

Recently uploaded

Recently uploaded (20)

Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach