Active Deception Through Cyber Maneuver

The concept of dynamic identity can play a significant role in deception and adaptive defenses. Static mappings of identities create vulnerabilities that undermine protections and facilitate asset theft. For example, static passwords, static credit card numbers, static asset tags, and static IP addresses simplify the tasks of a malicious adversary who wishes to phish individuals and misuse their credentials to gain unauthorized access. By contrast, dynamic passwords and credit card numbers, dynamic asset tags (e.g., as realized by hash chains), and dynamic Internet Protocol (IP) addresses can substantially complicate the adversary’s job and reduce the lifetime of exploits.

From a network security perspective, one of the main assumptions of an attacker is that specific technical details of system operation remain static across all targeted machines and networks. If each machine and network could generate a custom configuration, using a secret not available to the attacker, then a constantly moving profile could be achieved to stay ahead of adversaries. Vulnerabilities may be hidden by randomizing the behavior of the software that communicates with potential attackers or associated malware. Such a network maneuver approach is capable of avoiding many attacks, even in the face of zero-day vulnerabilities, and provides a proactive posture for the enterprise while increasing the resiliency of the network. This is the premise of the deception tactic known as cyber maneuver.

Platform Diversity + Maneuver = Cyber Kill Chain Disruption

One method of achieving a constantly moving profile is through the use of artificial diversity. The advantage of artificial diversity is that malware is typically targeted at exploiting vulnerabilities of a particular platform or operating system. The use of diversity and maneuvering to different platform alternatives reduces the attack surface available to malware leveraging a particular vulnerability.
Virtual overlay networks provide a method known as service chaining to help implement this type of cyber maneuver. Service chaining allows multiple virtualized network functions, such as virtual firewalls, virtual IPSs, virtual load balancers, etc., to be connected together and to migrate with a specified workload to different virtual machines. Through service chaining, enabled through software defined networking and service orchestration, workloads along with their network security elements can migrate to different virtual platforms with different IP addresses.

Network address space randomization (NASR) using IP address hopping is another example of artificial diversity and has been used as a way to counter malicious attacks. In this case, a large pool of IP addresses is used to make dynamic assignments to hosts. The pattern of changes of the IP address is known to both the client and the server(s), and preferably secret from others. Workloads “hop” to different IP address assignments based on an address destination selection algorithm. Servers could be configured to expect requests to the changed IP address within a certain time threshold. If the subsequent requests do not arrive within a threshold time period, the server system can be configured to terminate further access to the requestor. Without knowing the pattern of changes of IP addresses, it will be difficult for an eavesdropper to intercept data or to recon the network. To further enhance the security of this approach, the client (user) IP addresses could also be dynamically assigned using DHCP at a gateway and changed on a secret pattern basis as well. By constantly changing the IP address of the client, an additional layer of security is enabled on all transactions. Even if someone were to identify a key to decrypt transactions using encryption, they would not be able to represent themselves as a client nor would they be able to follow the transactions as they would not know the sequence of IP addresses since the sequence would be a shared secret between the client and server.

The confusion and “noise” generated in the network by the maneuvering activity also minimize the attackers’ ability to observe the network, thereby increasing their cost and slowing them down. Recognizing that some attacks will succeed, cyber maneuver also provides the ability to disrupt a persistent threat by requiring extra effort by the attacker to continually remap the network and re-establish malware command and control channels. By making the attacker work harder, cyber maneuver can increase the probability of attribution and detection due to the increased activity required of the attacker. Additionally, cyber maneuver can be combined with cleansing to remove malware that may have obtained a foothold.

Cyber Maneuver + Contextual Awareness = Highly Adaptive and Deceptive Networks

Cyber maneuver decisions can also be influenced by the threat context or the security state of maneuverable assets. A cyber maneuver decision framework can leverage this knowledge and create artificial changes to hop intervals, destination targets (including different geographic destinations), and re-direct exploited assets to honeynets for observation. Destination selection algorithms can allow destination LANs to be specified as less or more desirable when network or security conditions change, and support avoidance of particular vendor operating systems, hardware platforms or hypervisors.

Cyber maneuver can also enhance network anonymity and enable new effective responses to many Distributed Denial of Service (DDoS) attacks. For example, a dynamically assigned destination address can be assigned to serve as a dynamic netflow marker making it easier to track suspect traffic. Because an attacker must learn the dynamically assigned destination IP address, a gateway capability knows the IP address of the attacker machine to which it sent the requested destination address. Therefore, the attacker must expose at least one of its bots to learn the dynamically issued destination address. While possibly incomplete, this IP address is a useful starting point for a trace-back analysis and filtering for denial of service attacks.

Deceptions such as cyber maneuver must be designed with high precision, with virtualization playing a key role. As such, cloud computing could be well-suited to enable this type of active defense. A large address space is also needed for maneuver tactics such as IP address hopping, so IPv6 environments are preferred for this maneuver approach.

So does cyber maneuver fit into your network plans? Are you using cyber maneuver already? Please let us know about your thoughts on this deception technique. Thanks for reading and keep moving.