SQL Database Design For Developers at php[tek] 2024
Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach
1. Toru Shimanaka & Ryusuke Masuoka
Fujitsu System Integration Laboratories
Brian Hay
Hume Center, Virginia Tech
Cyber Deception Architecture:
Covert Attack Reconnaissance
Using a Safe SDN Approach
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED0
2. Textbooks dictate …
When a compromised PC is discovered, it should be
disconnected from the network to prevent further damages
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
That is a reasonable and safe practice.
But …
1
3. Obtaining valuable intelligence
• Adversary’s TTPs, purposes, and intentions
Denying the adversary to learn from his failure
• Or allows the adversary to learn from his failure, and the adversary may
come back again using more sophisticated tools and techniques
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Missed opportunities
2
4. We want both
Safety by disconnection
Preventing further damage
Intelligence by attack continuation
Observing adversary’s behavior and getting valuable information
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED3
5. Our idea
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Prepare a “Deception Network” as a safe observation
environment
Switch communications between the compromised PC and
the Operational Network to the Deception Network
Let communication between the compromised PC and the
C2 server continue
4
6. Our idea
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Prepare a “Deception Network” as a safe observation
environment
Switch communications between the compromised PC and
the Operational Network to the Deception Network
Let communication between the compromised PC and the
C2 server continue
Cyber deception after detection
5
7. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED6
8. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
“Direct an adversary’s
attention from real assets
toward bogus ones.”
7
9. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
・・・
・・・
・・・
“Waste an adversary’s time
and energy on obtaining and
analyzing false information.”
8
10. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
“Cause the adversary to
doubt the veracity of a
discovered vulnerability
or stolen information.”
9
11. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
“Monitor and analyze
adversary behavior
during intrusion
attempts
to inform future
defense efforts.”
10
12. What is Cyber Deception?
“the planned actions taken to mislead hackers and to thereby
cause them to take (or not take) specific actions that aid computer-
security defenses.” (J. J. Yuill, 2006)※1
Deception Purposes (MITRE, 2015) ※2
Diversion
Resource Depletion
Uncertainty
Intelligence
Proactivity
※1 Defensive Computer-Security Deception Operations: Processes, Principles and Techniques.
※2 Cyber Denial, Deception and Counter Deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
“Use deception
techniques to detect
previously unknown
attacks.”
11
13. Our idea
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Prepare a “Deception Network” as a safe observation
environment to protect the Operational network
Switch communications between the compromised PC and
the Operational Network to the Deception Network
Let communication between the compromised PC and the
C2 server continue
Isolate the compromised PC
safe
Cyber deception after detection
12
14. Deception Network (D-Net)
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
Configured identically to O-Net
Same network topology
Hosts with same hostnames
& ip addresses
(except MAC addresses)
13
15. Deception Network (D-Net)
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Operational Network (O-Net)
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
PC-34 PC-33 PC-32 PC-31
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Log
Fowarder-3
PC-11PC-12PC-13
Log
Fowarder-1PC-14
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
Network-1
Network-0
Network-2
Network-3
Network-4
Router-1
Deception Network (D-Net)
Configured identically to O-Net
Same network topology
Hosts with same hostnames
& ip addresses
(except MAC addresses)
SDN technology
Transfer control by OpenFlow
Domain
Controller
Log
Fowarder-0
Mail
Server
Business
Server
DHCP
Server
PC-11PC-12PC-13
Log
Fowarder-1
PC-24 PC-23 PC-22
Log
Fowarder-2PC-21
Network-1
PC-14
PC-34 PC-33 PC-32
Log
Fowarder-3PC-31
PC-44 PC-43 PC-42
Log
Fowarder-4PC-41
Network-0
Network-2
Network-3
Network-4
OpenFlow
Switch-01
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-31
OpenFlow
Switch-41
OpenFlow
Switch-02
OpenFlow
Switch-12
OpenFlow
Switch-22
OpenFlow
Switch-32
OpenFlow
Switch-42
Router-1
14
16. Deception Network (D-Net)
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Configured identically to O-Net
Same network topology
Hosts with same hostnames
& ip addresses
(except MAC addresses)
SDN technology
Transfer control by OpenFlow
Safe observation environment
Delete sensitive information
Insert fake information
Observe behavior
15
17. Prepare a “Deception Network” as a safe environment to
protect the Operational network
Switch communications between the compromised PC and
the O-Net to the D-Net
Let communication between the compromised PC and the
C2 server continue
Our idea
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Cyber deception after detection
16
18. Continued communication with C2 server
Transferring communication with O-Net
Transferred communication with D-Net
Our idea
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Cyber deception after detection
17
23. Attack Transfer Mechanism
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
$ python ./mkdeceptflow-group.py 10.10.22.103 config .json >
tmp_deception.sh
22
24. Attack Transfer Mechanism
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
# Open ovs-s-005 from ki201
curl -X POST -d '{"in_port": "1", "dl_src": "00:50:56:a5:20:29", "actions":
"PORT2", "priority": "3300" }'
http://10.1.1.2:8080/deception/rules/0000000000000124 | python -m
json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005(00:50:56:a5:0d:69) -> rewrite eth_dst and arp_tha to Shadow-
logfwd005(00:50:56:a5:2c:90) and out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"00:50:56:a5:0d:69", "arp_tha": "00:50:56:a5:0d:69", "actions": "PORT1",
"set_eth_dst": "00:50:56:a5:2c:90","set_arp_tha": "00:50:56:a5:2c:90",
"priority": "3999"}' http://10.1.1.2:8080/deception/rules/0000000000000224 |
python -m json.tool
# ovs-r-005 ARP from ki201(00:50:56:a5:20:29) to
logfwd005[10.10.22.201](ff:ff:ff:ff:ff:ff) -> out PORT1
curl -X POST -d '{"dl_type": "ARP", "dl_src": "00:50:56:a5:20:29", "dl_dst":
"ff:ff:ff:ff:ff:ff", "arp_tpa": "10.10.22.201", "actions": "PORT1", "priority":
"3998"}' http://10.1.1.2:8080/deception/rules/0000000000000224 | python -
m json.tool
# ovs-r-005 ARP from Shadow-logfwd005(00:50:56:a5:2c:90) to
ki201(10.10.22.103) from PORT1 -> rewrite eth_src and arp_sha to
logfwd005(00:50:56:a5:0d:69) and out PORT3
……………
Script to set FlowTable
23
25. Packet Manipulation
Using OpenFlow “Flow Table”
Flow Table consists of Flow entries
• Match Field: Rule to match against the packet
• Priority: Matching precedence of the flow entry
• Instructions: Set of instructions for the packet
Match Field Priority Counters Instructions Timeouts CookieMatch Field Priority Counters Instructions Timeouts Cookie
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED24
26. Match Field Priority Instructions
Using OpenFlow “Flow Table”
Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
If a packet has destination IP address 192.168.10.10
then rewrite the address to 192.168.20.30
and output via port6
Port1 Port2 Port3 Port4 Port5 Port6
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Packet Manipulation by SDN
OpenFlow Switch
if a packet comes in on port1
Then output packet via
port3 and port4
25
27. Match Field Priority Instructions
Using OpenFlow “Flow Table”
Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
Port1 Port2 Port3 Port4 Port5 Port6
To 172.127.25.100 To 172.127.25.100
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Packet Manipulation by SDN
OpenFlow Switch
26
28. Match Field Priority Instructions
Using OpenFlow “Flow Table”
Flow Table consists of Flow entries
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
if a packet comes in on port1
Then output packet via
port3 and port4
Match Field Priority Instructions
if in_port = 1 100 output:3,output:4
If dst_IP = 192.168.10.10 200 Rewrite dst_IP to
192.168.20.30
output:6
Port1 Port2 Port3 Port4 Port5 Port6
To 192.168.10.10 To 192.168.20.30
Highest priority
Instruction is applied
Matches both rules
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Packet Manipulation by SDN
OpenFlow Switch
27
29. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
Packet rewriting strategies
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
ARP: Address Resolution Protocol
28
30. Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
Packet rewriting strategies
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
ARP: Address Resolution Protocol
29
31. TCP communication: PC-22→PC-21 PC-22→PC21(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Transfer
Rewrite Dst MAC address
Change output port
PC-22 MAC
PC-21shadow MAC
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Strategy #2
Matched MAC address
Packet from PC-22 to PC-21
PC-21 MAC
PC-22 MAC
30
32. ARP communication: PC21(shadow) →PC-22 PC-21→PC-22
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Rewrite Src MAC address
to PC-21
Change output port
PC-21 IP
PC-22 IP
PC-21 MAC
PC-21 MAC
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Strategy #2
Matched ARP request for PC-22
PC-21shadow MAC
PC-21 IP
PC-22 IP
PC-21shadow MAC
31
33. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-22 to PC-14
via Router-1
PC-22 MAC
Router-1 MAC
Transfer
Rewrite Dst MAC address
To Router-1 shadow
Change output port
PC-22 MAC
Router-1 shadow MAC
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Strategy #2
32
34. TCP communication: PC-22→PC-14 PC-22→PC14(shadow)
PC-11PC-12PC-13
PC-24 PC-23
Network-1
PC-14
Network-2
OpenFlow
Switch-11
OpenFlow
Switch-21
OpenFlow
Switch-12
OpenFlow
Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)
PC-11
(shadow)
PC-12
(shadow)
PC-13
(shadow)
Network-1
Network-2
PC-21
Operational Network (O-Net) Deception Network (D-Net)
PC-22
PC-14
(shadow)
C2
Server
compromised
Router-1
Router-1
(shadow)
Matched MAC address
Packet from PC-14 shadow
To PC-22 via Router-1
Router-1 shadow MAC
PC-22 MAC
Transfer
Rewrite Src MAC address
To Router-1
Change output port
PC-22 MAC
Router-1 MAC
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Strategy #2
33
36. Packet rewriting strategies
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Strategy Description Result
#1 Match Field IP address works only for UDP packets
Instructions rewrite MAC address
switch port accordingly
#2 Match Field MAC address
(including ARP packet)
internal communication works, but communication
with the C2 server fails
Instructions rewrite MAC information
(including ARP packet)
switch port accordingly
#3 strategy #2
+
works for all internal and external communications
Match Field addressed to intra-net
Instructions switch port accordingly
35
39. Flow Tables
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Low
PC-24 PC-23 PC-22 PC-21
Network-2
OpenFlow Switch-21 OpenFlow Switch-22
PC-24
(shadow)
PC-23
(shadow)
PC-21
(shadow)PC-11C2
Operational Network (O-Net) Deception Network (D-Net)
Router-1
Router-1
(shadow)
PC-11
(shadow) Originated packet
Changed packet
(rewrite, port change)
High
Initial State
Comm. between
the O-Net and the D-Net
FlowTablePriority
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
ARP Request from PC-22
ARP Reply From PC-22
Rewrite dstMAC addr in Ethe Header
Rewrite dstMAC addr in ARP Protocol
Copy Packet
ARP from
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
Rewrite srcMAC addr in Ethe Header
Rewrite srcMAC addr in ARP Protocol
ARP Request to PC-22
ARP Reply to PC-22
ARP to
the Compromised PC-22
Keep connection with
the C2 Server
Packet from PC-22 to Other Sub-network Rewrite Router s dstMAC addr in Ethe Header
Packet from Other Sub-network to PC-22Rewrite Router s srcMAC addr in Ethe Header
There is no Flow Table preventing communication
Communication is continued
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from
the Compromised PC-22
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Packet from PC-22 Rewrite dstMAC addr in Ethe Header
Flooding packet from PC-22 Forward Port in Group Flooding
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Packet to
the Compromised PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Rewrite srcMAC addr in Ethe Header Packet to PC-22
Forward Port in Group Flooding packet
38
41. Evaluation
What: Keep adversary unaware of cyber deception
Maintaining control of the compromised PC on the O-Net from their C2
server
Transferring the network activities of the compromised PC from the O-Net
the D-Net
How: Observation from the adversary’s point of view (i.e. from the
C2 server)
Created a script of post-compromise activities selected from common attacks
Executed the script from the C2 server's console before and after deception
and compared the results
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED40
42. Script of post-compromise activities
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
1) sysinfo : Get System and User information
2) idletime : Get the time interval at which the user did not operate
3) getpid : Get the Process ID used for attack
4) ps : Get the Process List
5) post/windows/gather/enum_services : Get name and configuration info for
each returned service
6) getproxy : Get Information about proxy
7) post/windows/gather/credentials/enum_cred _store : Get Credentials of IE
8) post/multi/gather/thunderbird_creds : Get Credentials of Thunderbird
9) ls -lR C:¥¥Users¥¥ : Get File List of the User
10) post/windows/gather/enum_ie : Get Browser history
41
43. Script of post-compromise activities
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
11) post/windows/gather/dumplinks2 : Get Files recently used
12) post/windows/gather/enum_applications : Get Application list
13) net user / net localgroup : Get Information about Local account, group
and administrator
14) Net share list : Get shared folder Information
15) show_mount : Get the currently attached “mounts”
16) ifconfig : Get Network interface information (MAC address, IP address)
17) arp : Get ARP Table
18) route : Get Routing Table
19) netstat : Get Connection information for each process
20) net use : Get SMB remote connection Information
21) post/windows/recon/computer_browser_disc overy : Get Neighbor
Computers
42
44. Evaluation environment
Two servers connected by
switch
For O-Net, Internet, C2 Server
For D-Net, Deception Management
Network
Deception Network and
Deception Management Network
(Virtual Machine)
Operational Network,
Internet, C2 Server
(Virtual Machine)
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED43
45. Evaluation results
The automated attack script produced exactly the same results
before and after deception
The session between the compromised PC and the C2 server
remained uninterrupted during and after deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED44
46. [*] show_mount
Mounts / Drives
===============
Name Type Size (Total) Size (Free) Mapped to
---- ---- ------------ ----------- ---------
A:¥ removable 0.00 B 0.00 B
C:¥ fixed 31.90 GiB 17.33 GiB
D:¥ remote 0.00 B 0.00 B ¥¥sh201¥share¥
E:¥ cdrom 0.00 B 0.00 B
M:¥ remote 0.00 B 0.00 B ¥¥file¥share¥???¥
Total mounts/drives: 5
Attack log
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED45
53. [*] getproxy
Auto-detect : No
Auto config URL : http://www.system.skyblue.test/proxy.pac
Proxy URL :
Proxy Bypass :
Attack log
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED52
54. ### SMB Remote Connection
~~~
[*] net use
[+] Net use list
Status Local Remote
------ ----- ------
D: ¥¥sh201¥share
OK M: ¥¥file¥share¥secret
Attack log
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED53
55. ### Neighbor Computer(NBT)
~~~
[*] post/windows/recon/computer_browser_discovery
[+] Found 4 systems.
....
[*] Netdiscovery Results
====================
TYPE IP COMPUTER NAME VERSION COMMENT
---- -- ------------- ------- -------
0x11003 10.10.22.102 KG201 6.1
0x11003 10.10.22.104 YM201 6.3
0x31003 10.10.22.103 KI201 6.3
0x51003 10.10.22.101 UN201 6.1
~~~
meterpreter >
Attack log
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED54
56. Conclusion
Objective
Observe the adversary’s attack safely and covertly through keeping the
adversary unaware of deception
Technique
Creating a Deception Network
Using OpenFlow's Flow Tables for manipulating packets
Evaluation
The adversary can not observe any difference before, during, and after the
cyber deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED55
57. Future research
Cyber deception architecture for IPv6
Realism of Deception Network
Content continuity before and after deception
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED56
58. Any Questions?
Copyright 2019 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Thank you.
Toru Shimanaka
shimanaka.tohru@fujitsu.com
57