Choose Your Deception

Active Cyber Defense can enable a large variety of specific deception tactics that can delay, confuse, scare away, or tie up an attacker depending on the circumstances and the methods. The following examples highlight this variety of tactics.

1. Enabling specific abuse detection points in web application code using a library of vulnerability deception modules, and responding to application abuse with session-specific deceptive responses, warnings, and blocks.
   Deceptively vulnerable web sites can be employed to identify an attack while minimizing the impact on legitimate users. By embedding seemingly vulnerable abuse points in the web site script and configuration, attackers may be deceived into launching attacks that can be quickly detected. A variety of response actions can then be employed including warnings, throttling the session connection, requiring additional login information, and blocking the attack. Through careful sequencing of the responses, an attacker’s TTPs can also be revealed and captured for analysis.
2. Employing persistent tracking mechanisms, such as canvas fingerprinting, evercookie, supercookies, and zombie cookies – to create a “long-term fingerprint” of the attacker and use that fingerprint to recognize an attacker on return visits.
   Fingerprinting web site users may cause privacy concerns, however these techniques offer a means to identify and track web site abusers when these tracking mechanisms can be linked to web site abuse. Once identified as an abuser, such a fingerprint could be shared through a threat intelligence service to block, blacklist, or to closely monitor the user’s behavior at sites that subscribe to the intelligence service.
3. Employing honeynets and honey files to capture attackers’ TTPs and malware profiles, while also providing disinformation to the attacker.
   Use cases for honeynets assumes an attacker is undertaking an overall attack effort involving intelligence gathering, entries, privilege expansions, and privilege exploitations. Honeynets are used to attract attackers and therefore may be used to detect an attack in progress; an inexpensive canary may be set up such that any traffic to the machine triggers an alarm; false network traffic can lead an attacker into believing that a port or IP address on a honeynet is a valid target, but accessing that IP address and port causes an attack alarm. A variety of attack detection techniques can be implemented with honey files as well, including inclusion of code that will report back to a monitoring server when executed. This can be achieved by using JavaScript for PDF files, the addition of fake entries in robots.txt files for web servers, the use of invisible links, the inclusion of honey-token HTML comments, or remote images that are downloaded when the document is opened; and, inclusion of bait information, such as fake credentials, that attackers may try to use.DNS honey tokens can also complement the use of honeynets. For example, a small number of fake DNS records on the authoritative DNS servers of the organization can be created and configured to initiate an alert when these specific records are requested.
4. Using deception with malware analysis tools to detect and block attacks.
   Malware sandboxing often includes deception techniques that are designed to trick malware into exposing how the malware operates and what it would do on a system if deployed. Attackers recognize that detection methods are becoming more advanced and accordingly have raised their game as well. Since malware often comes with anti-VM or anti-sandbox techniques along with dormant codes, deception and hiding techniques provided by malware analysis tools are becoming more sophisticated. For example, newer tools leverage micro-virtualization at the processor level. This hardware isolation method emulates a complete system, thereby removing many of the indicators that malware uses to detect it is running in a virtual sandbox.

These techniques must be balanced against the costs of development, deployment, and maintenance, as good deceptions can be expensive to set up, they go stale over time, and consistency of deceptions should be maintained.

In the next post we continue a review of deception, delay and detection techniques that may help to generate a poor ROI for attackers. In particular, we examine a deception approach called cyber maneuver.