Air Force goes after cyber deception technology
Air Force Research Lab (AFRL) enlists security vendor Galois to develop a cyber deception system
Michael Cooney, Network World | JAN 19, 2017
A little cyber-trickery is a good thing when it comes to battling network adversaries.
The Air Force Research Lab (AFRL) tapped into that notion today as it awarded a $750,000 grant to security systems developer Galois to develop a cyber deception system that will “dramatically reduce the capabilities of an attacker that has gained a foothold on a network.”
Specifically, Galois will develop its Prattle system for the Air Force. Galois describes Prattle as a system that generates traffic that misleads an attacker that has penetrated a network: making them doubt what they have learned, or to cause them to make mistakes that increase their likelihood of being detected sooner.
“To generate this traffic, Prattle starts with observations of local traffic, and then generates traffic indistinguishable from existing traffic, but subtly modified to meet the administrator’s goals. This additional information can be used to direct adversaries toward fake workstations or servers, for example, and/or to distract them from real search terms or operational priorities” Galois says.
From Galois: “We thus refer to the traffic generated by Prattle as false signal, to stress the difference between it and the more easily distinguished noise. Further, we seek to generate realistic traffic that is intentionally designed to cause the adversary to take some action that is to our advantage.
For example, Galois says it might use false signal to:
- Improve the utility of honeypots, IDS, SIEM, DLP or other solutions by pushing adversaries to act in a way that makes them easier to detect.
- Watermark documents or other data in such a way that the introduced data can tie an adversary to a location or time.
Obfuscate the details of high-value information such as designs, plans, source code, or financial data by introducing small variations upon real documents transiting the network.
- Misdirect an adversary from the real interests and efforts of an organization.
The grant is actually Phase 2 of the AFRL’s program. In Phase I of the project, the project team showed how the Prattle prototype generates highly realistic traffic based on observations of local traffic. Phase II will focus on expanding the generation capability across a wider variety of protocols, and using “honey data” – data tailor-made to misdirect the attacker – to cause them to take some action that is to our advantage, Galois stated.
The AFRL work is not the only security deception work going on. Last year the advanced technology developers from the Intelligence Advance Research Projects Activity (IARPA) office put out a Request For Information about how to best develop better denial and deception technologies – such as honeypots or deception servers for example — that would bolster cyber security.
“Adapting deception to support the engagement of cyber adversaries is a concept that has been gaining momentum, although, the current state of research and practice is still immature: many techniques lack rigorous experimental measures of effectiveness, information is insufficient to determine how defensive deception changes attacker behavior or how deception increases the likeliness of early detection of a cyber attack,” IARPA said in a statement.
Gartner wrote of deception technologies in 2015 and said: “Solutions are emerging to play a greater role in the future of enterprise threat defense. Detection is often a prerequisite to higher-quality deceptions. However, use of deceit in the enterprise is beginning to be used to actively thwart or “black-hole” malware botnets, threat actors and suspicious connections. In some cases, federal investigators have used deception techniques to intercept and disrupt command-and-control communications during botnet takedowns, but many of these uses have been manually executed network protocol or command-and-control server deceptions. The goal of deception technology continues to be detection; however, use of deception has been widening across many different types of products throughout the years, including the age-old honeypot sensor.”
The researchers also observed of deception technologies:
- Although still nascent, deception as a defense strategy against attackers has merit, and can be an attractive new capability for larger organizations desiring advanced threat detection and defense solutions.
- Many organizations don’t understand what threat deception is; educating security buyers on its usefulness will be crucial to furthering adoption of deception technologies and concepts.
- Deception as an automated responsive mechanism represents a sea change in the capabilities of the future of IT security that product managers or security programs should not take lightly.
- Deception decoy sensor providers emerge to offer enhanced detection of east-west attacks by distributing sensors across an enterprise’s internal environment, and mimicking enterprise endpoint services, applications and systems.