Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.
[1]
Hayretdin Bahsi.
A Deceptive Methodology Towards Early Detection of Advanced Cyber Threats
,
2016
.
[2]
Roshan K. Thomas,et al.
Denial and Deception in Cyber Defense
,
2015,
Computer.
[3]
Oscar Serrano Serrano,et al.
Changing the game: The art of deceiving sophisticated attackers
,
2014,
2014 6th International Conference On Cyber Conflict (CyCon 2014).
[4]
Salvatore J. Stolfo,et al.
Bait and Snitch: Defending Computer Systems with Decoys
,
2013
.
[5]
Yitzchak M. Gottlieb,et al.
ACyDS: An adaptive cyber deception system
,
2016,
MILCOM 2016 - 2016 IEEE Military Communications Conference.
[6]
Herbert Bos,et al.
SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
,
2007,
Comput. Networks.
[7]
James Bret Michael,et al.
Lawful Cyber Decoy Policy
,
2003,
SEC.
[8]
Martin Husák,et al.
Deploying Honeypots and Honeynets: Issue of Privacy
,
2015,
2015 10th International Conference on Availability, Reliability and Security.
[9]
Teemu Väisänen,et al.
I accidentally malware - what should I do... is this dangerous?: Overcoming inevitable risks of electronic communication
,
2016
.
[10]
Salvatore J. Stolfo,et al.
Baiting Inside Attackers Using Decoy Documents
,
2009,
SecureComm.
[11]
Hsinchun Chen,et al.
SCADA honeypots: An in-depth analysis of Conpot
,
2016,
2016 IEEE Conference on Intelligence and Security Informatics (ISI).
[12]
Ville Leppänen,et al.
An interface diversified honeypot for malware analysis
,
2016,
ECSA Workshops.