Cyber Deception Architecture: Covert Attack Reconnaissance Using a Safe SDN Approach

Significant valuable information can be determined by observing attackers in action. These observations provide significant insight into the attacker’s TTPs and motivations. It is challenging to continue observations when attackers breach operational networks. This paper describes a deception network methodology that redirects traffic from the compromised Operational Network (O-Net) to an identically configured Deception Network (DNet) minimizing any further compromise of operational data and assets, while also allowing the tactics, techniques, and procedures of the attacker to be studied. To keep the adversary oblivious to the transfer from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking (SDN) technology that builds on two other strategies. This paper discusses the foundational strategies and introduces a new strategy that improves behavior for our described scenarios. We then provide some preliminary test results and suggest topics for further research.

[1]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[2]  Dilshan Keragala,et al.  Detecting Malware and Sandbox Evasion Techniques , 2018 .

[3]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defense , 2015 .

[4]  William Yurcik,et al.  Internet honeypots: protection or entrapment? , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).

[5]  William M. S. Stout,et al.  Computer network deception as a Moving Target Defense , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[6]  Zhuo Lu,et al.  Cyber Deception: Overview and the Road Ahead , 2018, IEEE Security & Privacy.