PG - Cyber Deception after Detection: Safe observation environment using Software Defined Networking

good afternoon everybody and welcome to besides Las Vegas proving ground and this talk cyber deception after detection by Toru she Menaka a few announcements before we gain I will like to thank our sponsor especially our inner circle sponsor critical stack and Bell mail and our solid sponsors Microsoft secure code warrior and paranoids it is their support along with our sponsor donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silent if you have a question use the audience microphone so you two can hear you please raise your hand I'll

bring it over with that with that let's get started please I'd like to thank you for giving me the chance to speak here today I'm going to talk about my cyber deception I'm told Monica I'm a cyber security researcher at 52 for about five years before that I was making network storage for about 15 years what is cyber deception this is one of the most widely used definitions of server deception is proposed by ul but he load the definition of computer security deception operation and this is the picture of illusional deception operation in Normandy landings with inflatable Tomita the military think tank miter lists these five deception purposes diversion they lacked an adversary's attention to a guru said resource

depletion waste and it was a waste time and energy uncertainty cause it was or his to doubt velocity locked if t use deception technique to detect attacks intelligence observe adversary's behavior to get here to mention our main deception purposes this intelligence many cybersecurity textbooks dictate when a compromised endpoint is discovered it should be disconnected from the network to prevent further damages a force that is reasonable and see flagged is in most case but it means missing all of obtaining variable in patients such as adversaries TTP's tactics techniques and procedures and purposes and intentions and it also missing all of denying the data running in other words when an attacker knows for sure he was detected

he can down from his failure and come back again using more sophisticated tools and techniques and text textbooks also dictate when I compliment endpoint is discovered observe the attacker until you assure you can limit 800 passing them immediately that may be true but can you track everything the attacker does that's why this method has some disk still to your company what if you could track the attacker but without risk well we are leading that why we want to both safety about its connection and intelligence by attack continuation so this plan for achieving or glady objectives there lilamon to the idea I'd like to explain how the environments are Lila's like this is so to speak cyber deception

after detection we are interrupting between ding six and seven in the cyber kitchen here at the deepest part of the keychain in it after the attacker has the command and control it's very good because it's very expensive to the attacker he already invested a lot first we prepare the deception Network at the safe operation environment to protect the operational network safe means isolate the compromised endpoint to the deception network that is out of operational Network okay next I will explain the deception network or the only our dinner the D net is configured identically to the operational network or the owning the D net has same network topology as the unit and host have same host names and same IP addresses

responding to host in the only except for MAC addresses I will explain the legend later the owner and the D net are connected by open flow switches and packet control and we let them by software open flow is one of Software Defined Networking implementation in the owner sensitive information have been deleted and faking mention that confused adversary is embedded and you can place offenses and observe what was it behavior and detail here the two items are about software control pocket transfer using open flow functionality such communication between the compromising point and they own a to the dinner that is communication on the local network continued uninterrupted between the compromise and the point and the other machines but the other

machines are actually turning into shadows in the dinner also ensure that all communication between the compromised endpoint and the sheet 2 server is not interrupted this way the attacker doesn't notice or cyber dissection this figure shows the software control packet transfer that we aim suppose compromise endpoint in this case PC 22 shown an LED is discovered the communication between the compromised PC 22 and C 2 server continued without interruption the communication between the compromised PC 22 and all net are transferred to the DNA these software package control allow us to keep the adversary's and wear of deception

this is a systems attack transfer mechanism initial step is detect a compromised in this case we detect an endpoint compromised because an attacker accessed our decoy file the next step is preparing the dinner the minute was already made in identically to the owner based on the JSON file that defined network configuration of the o net and init the deception controller turn off the shadow of the compromised endpoint and Adeem it and create a script which set the flow table using rust apiaries we implement the rest api s-- as the northbound interface to the open flow controller and health cute this script and the question open flow controller to set flow tables to open flow switches we

implement or packet control and the lighting strategy using open flow flow table Indiana open flow is considered our standard for separating control from Fordham but my perception is different open flow is a technology that opened up to everyone to secret that only switch software engineer skips the secret is that switch taste ACP only like the packet had something in the packet and delays something from the packet having build switches for many years and some the secret and use them in this project so table flow table consists of flow entries these we are commonly used much filled its entry it allude too much against the pocket the dual used the English port and packet headers such as

source and destination IP address source and destination MAC address Susan destination TCP port and so on to ilg each entry is matching blessings of the flow entry instructions its entry it's a set of instructions for the packet for example to delight a packet and change the output port for example this flow table means if a packet comes in from port 1 then output packet via port 3 and 4 for next flow table means if a packet has destination IP address 192 what if take 10 10 then they light the address to 192 168 20 30 and output V about 6 if the pocket just needed to 191 6810 100 comes from pot 1 this packet is

transferred to the podrían / 4 but if the packet has mated to 192 168 content comes from Port 1 the destination is of this packet is militant and transferred to the power 6 here or packet relighting strategies the difference between doughnut and in it is host MAC addresses this is the key to control packet strategy 1 the light communication on the local network so as u 1 use the compromising the point mock others as the much low and we relating not only the MAC address of the ether head but also the macro decimation in the up flame if we use IP address as much though it would generally work for UDP but not for TCP strategy to consider

the communication from the compromised and point to the doubted it means to other sub network by setting strategy to access from compromised endpoint to the internal network can be isolated to detonate and access to the city Saba can be maintained see what happened for the TCP communication from the compromised visit when we do to the next PC to anyone according to the flow table set in this open flow switch the destination MAC address of the ISA had related to Mikado's of PC to anyone shuttle and transferred to the Ginette port on the saving a new tcp pocket from pc 22 the pc 21 shadow broadcast and up request the source MAC address in the ISA header

and a pink mention are related to the real PC wants a PC to anyone's Mikado's and transferred to the port of the compromised PC 22 by this mechanism the compromised PC to mean to misunderstand that the response came from the real PC 21 and things go on as such this is how even the TCP communication between compromised PC 22 and the o-net could be completely isolated to the dinner the pocket addressed to other subnetwork has the luta one MAC address at its destination if we use rata g12 this pocket strategy one simply relied this mission to the maca days of gelato and shadow and for the pocket to the dinner it works fine for the pocket address to

the Internet

however strategy one transfer the pocket address to to see to supper to the dinner so we had such a G to the pocket address to the c2 server or audit to the Internet

this view shows the flow table set in the open flow switches for one compromised endpoint expand the flow table for art this is the part of the textualist deposition the presentation of the flow table for expand the flow table for other pocket expand the flow table for keeping connection with stick to server so to summarize we successfully build the net we switched over communication to the net with some pocket magic we managed to continue communication with city supper after moving the compromise and point to the net and the attacker can still operate as if nothing changed on our network well next proof of concept the most important objective is to keep adversaries unaware of the cyber

deception the conditions are as follows the attacker maintains control of compromise and point from the sea to server transferring the network activities of the compromise end point from the own entity net command executed by attacker on the endpoint and the network must give identical this out before and after DNA transfer so we did a pot from the attackers point of view we create a script of post compromised activities and we executive from the sea to servers console before and after deception activation and comparator result this is our environment one server provides a virtualized environment for the o-net and the c2 server on the internet and another chopper to buy the virtualized environment for the dignity and the

deception network management the old popplets out the automated attack script produced produced exactly the same result before and after deception and the session between the compromised endpoint and c2 server the main uninterrupted dwelling and after deception I will conclude this presentation our objective is to create an environment to us out to pasture 8 attack safely and covertly and keep that was a annual deception for that purpose we created a deception Network and may manipulate the pocket using Sdn technology as a result the adversary cannot notice any difference before during and after cyber deception and we have created an environment to observe the attack safely and covertly this is a future research our thing that seems

that initially it's convincing to an attacker but how does it remain condensing after two weeks or months we need work to ensure that the D net remains realistic and the eye of an attacker over time next are Lisa's reduction of the net and observation method for the team they're almost same as problem of honey net and honeypot I think it's that ocean area so I don't really want to do that if I can to be honest but I think the good way to do it next is ipv6 support this is more complicated than ipv4 I've already finished POC and I am submitting a paper now the last is the combination with attack detection by deception the

attacker was overwhelmingly dominated defender because the defender just wait possibly without knowing what kind of attack is taking place but if this combination is realized we can reverse the situation if the attacker is caught in one of many traps the defender will win this means for the first time and history the that if we under has an advantage over the attacker chateaux thank you very much and thank you my mentor Taos [Applause] like we would like to know more please defer this paper and if you have any questions I'm sorry I'm not good at English but I will do my best any questions you mentioned this is hosted on a hypervisor for open V switch

and open flow are you using like a VMware base thing or is this video okay thanks another question no okay thank you thank you very much