Wide spectrum attribution : using deception for attribution intelligence in cyber attacks

Nicholson, Andrew

January 2015

Modern cyber attacks have evolved considerably. The skill level required to conduct a cyber attack is low. Computing power is cheap, targets are diverse and plentiful. Point-and-click crimeware kits are widely circulated in the underground economy, while source code for sophisticated malware such as Stuxnet is available for all to download and repurpose. Despite decades of research into defensive techniques, such as firewalls, intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful cyber attacks continues to increase, as does the number of vulnerabilities identified. Measures to identify perpetrators, known as attribution, have existed for as long as there have been cyber attacks. The most actively researched technical attribution techniques involve the marking and logging of network packets. These techniques are performed by network devices along the packet journey, which most often requires modification of existing router hardware and/or software, or the inclusion of additional devices. These modifications require wide-scale infrastructure changes that are not only complex and costly, but invoke legal, ethical and governance issues. The usefulness of these techniques is also often questioned, as attack actors use multiple stepping stones, often innocent systems that have been compromised, to mask the true source. As such, this thesis identifies that no publicly known previous work has been deployed on a wide-scale basis in the Internet infrastructure. This research investigates the use of an often overlooked tool for attribution: cyber de- ception. The main contribution of this work is a significant advancement in the field of deception and honeypots as technical attribution techniques. Specifically, the design and implementation of two novel honeypot approaches; i) Deception Inside Credential Engine (DICE), that uses policy and honeytokens to identify adversaries returning from different origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive honeynet framework that uses actor-dependent triggers to modify the honeynet envi- ronment, to engage the adversary, increasing the quantity and diversity of interactions. The two approaches are based on a systematic review of the technical attribution litera- ture that was used to derive a set of requirements for honeypots as technical attribution techniques. Both approaches lead the way for further research in this field.

600

Contributions of honeyports to network security

Pepakayala, Sagar

January 2007

<p>A honeypot is an attractive computer target placed inside a network to lure the attackers into it. There are many advantages of this technology, like, information about attacker's tools and techniques can be fingerprinted, malicious traffic can be diverted away from the real target etc. With the increased activity from the blackhat community day by day, honeypots could be an effective weapon in the</p><p>network security administrator's armor. They have been studied rigorously during the past few years as a part of the security</p><p>industry's drive to combat malicious traffic. While the whitehats are trying to make honeypots stealthier, blackhats are coming up with techniques to identify them (therefore nullifying any</p><p>further use) or worse, use them in their favor. The game is on. The goal of this thesis is to study different architectural issues regarding honeypot deployment, various stages in utilizing honeypots like forensic analysis etc. Other concepts like IDSs and firewalls which are used in conjunction with honeypots are also discussed, because security is about cooperation among different security components. In the security industry, it is customary for whitehats to watch what blackhats are doing and vice versa. So the thesis</p><p>discusses recent techniques to defeat honeypots and risks involved in deploying honeypots. Commercial viability of honeypots and business cases for outsourcing honeypot maintenance are presented. A great interest from the security community about honeypots has propelled the research and resulted in various new and innovative applications of honeypots. Some of these applications, which made an impact, are discussed. Finally, future directions in research in honeypot technology are perused.</p>

Honeypot

honeynet

cyber-deception

IDS

Computer science

Datavetenskap

Policy-driven Network Defense for Software Defined Networks

January 2016

abstract: Software-Defined Networking (SDN) is an emerging network paradigm that decouples the control plane from the data plane, which allows network administrators to consolidate common network services into a centralized module named SDN controller. Applications’ policies are transformed into standardized network rules in the data plane via SDN controller. Even though this centralization brings a great flexibility and programmability to the network, network rules generated by SDN applications cannot be trusted because there may exist malicious SDN applications, and insecure network flows can be made due to complex relations across network rules. In this dissertation, I investigate how to identify and resolve these security violations in SDN caused by the combination of network rules and applications’ policies. To this end, I propose a systematic policy management framework that better protects SDN itself and hardens existing network defense mechanisms using SDN. More specifically, I discuss the following four security challenges in this dissertation: (1) In SDN, generating reliable network rules is challenging because SDN applications cannot be trusted and have complicated dependencies each other. To address this problem, I analyze applications’ policies and remove those dependencies by applying grid-based policy decomposition mechanism; (2) One network rule could accidentally affect others (or by malicious users), which lead to creating of indirect security violations. I build systematic and automated tools that analyze network rules in the data plane to detect a wide range of security violations and resolve them in an automated fashion; (3) A fundamental limitation of current SDN protocol (OpenFlow) is a lack of statefulness, which is extremely important to several security applications such as stateful firewall. To bring statelessness to SDN-based environment, I come up with an innovative stateful monitoring scheme by extending existing OpenFlow specifications; (4) Existing honeynet architecture is suffering from its limited functionalities of ’data control’ and ’data capture’. To address this challenge, I design and implement an innovative next generation SDN-based honeynet architecture. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2016

Computer science

Honeynet

Network Security

Policy Management

Software-defined Networking

Contributions of honeyports to network security

Pepakayala, Sagar

January 2007

A honeypot is an attractive computer target placed inside a network to lure the attackers into it. There are many advantages of this technology, like, information about attacker's tools and techniques can be fingerprinted, malicious traffic can be diverted away from the real target etc. With the increased activity from the blackhat community day by day, honeypots could be an effective weapon in the network security administrator's armor. They have been studied rigorously during the past few years as a part of the security industry's drive to combat malicious traffic. While the whitehats are trying to make honeypots stealthier, blackhats are coming up with techniques to identify them (therefore nullifying any further use) or worse, use them in their favor. The game is on. The goal of this thesis is to study different architectural issues regarding honeypot deployment, various stages in utilizing honeypots like forensic analysis etc. Other concepts like IDSs and firewalls which are used in conjunction with honeypots are also discussed, because security is about cooperation among different security components. In the security industry, it is customary for whitehats to watch what blackhats are doing and vice versa. So the thesis discusses recent techniques to defeat honeypots and risks involved in deploying honeypots. Commercial viability of honeypots and business cases for outsourcing honeypot maintenance are presented. A great interest from the security community about honeypots has propelled the research and resulted in various new and innovative applications of honeypots. Some of these applications, which made an impact, are discussed. Finally, future directions in research in honeypot technology are perused.

Honeypot

honeynet

cyber-deception

IDS

Computer Sciences

Datavetenskap (datalogi)

SAMARA SOCIEDADE DE AGENTES PARA A MONITORAÇÃO DE ATAQUES E RESPOSTAS AUTOMATIZADAS / SAMARA SOCIETY OF AGENTS FOR THE MONITORING OF ATTACKS AND AUTOMATIZED ANSWERS

OLIVEIRA, Antonio Alfredo Pires

17 June 2005

Made available in DSpace on 2016-08-17T14:52:58Z (GMT). No. of bitstreams: 1 Antonio Alfredo Pires Oliveira.pdf: 8225871 bytes, checksum: c2e6155a7365443f49c0172bf39c5dac (MD5) Previous issue date: 2005-06-17 / The traditional security techniques applied in computer networks try to block attacks (using firewalls) or to detect them as soon as they happen (using Intrusion Detection Systems). Both are of recognized value, however, they have limitations. In that sense, there is to innovate as for techniques and defense tactics, as well as the tools and technologies that complement the traditional mechanisms applied in network and computer security. One of these solutions have been using honeypots (networks traps) to collect information, motives, tactics and tools used in malicious network activities and distributed systems. This research work introduce an architecture for automated incident response, called SAMARA, based on honeypots and intelligent agents, created to support the functional requisites of decoy server and honeynet agents proposed for NIDIA Project Network Intrusion Detection System based on Intelligent Agents [18], but that can be adjust to others detection, prevention and reaction approaches of security incidents in network and distributed systems. / As técnicas tradicionais de segurança aplicadas em redes de computadores tentam bloquear ataques (utilizando firewalls) ou detectá- los assim que eles ocorrem (utilizando Sistemas de Detecção de Intrusos). Ambas são de reconhecido valor, porém, têm seus limites. Nesse sentido, há que se inovar em relação às técnicas e táticas de defesas, bem como em ferramentas e tecnologias que complementem os mecanismos tradicionais aplicados em segurança de redes e computadores. Uma dessas soluções tem sido o uso de honeypots (armadilhas de redes) na coleta de informações, motivos, táticas e ferramentas utilizadas em atividades maliciosas em redes e sistemas distribuídos. Este trabalho introduz a arquitetura de respostas automatizadas a incidentes de segurança, denominada SAMARA, que é baseada em honeypots e agentes inteligentes, concebida para atender os requisitos funcionais dos agentes decoy server e honeynet propostos para o Projeto NIDIA Network Intrusion Detection System based on Intelligent Agents [18], mas que pode se ajustar a outras abordagens de detecção e prevenção e reação a incidentes de segurança em redes e sistemas distribuídos.

Segurança de Redes

Armadilhas de Redes

Honeypots

Honeynet

Agentes Inteligentes

Network Security

Network Traps

Honeypots

Honeynet

Intelligent Agents

Scalable framework for turn-key honeynet deployment

Brzeczko, Albert Walter

22 May 2014

Enterprise networks present very high value targets in the eyes of malicious actors who seek to exfiltrate sensitive proprietary data, disrupt the operations of a particular organization, or leverage considerable computational and network resources to further their own illicit goals. For this reason, enterprise networks typically attract the most determined of attackers. These attackers are prone to using the most novel and difficult-to-detect approaches so that they may have a high probability of success and continue operating undetected. Many existing network security approaches that fall under the category of intrusion detection systems (IDS) and intrusion prevention systems (IPS) are able to detect classes of attacks that are well-known. While these approaches are effective for filtering out routine attacks in automated fashion, they are ill-suited for detecting the types of novel tactics and zero-day exploits that are increasingly used against the enterprise. In this thesis, a solution is presented that augments existing security measures to provide enhanced coverage of novel attacks in conjunction with what is already provided by traditional IDS and IPS. The approach enables honeypots, a class of tech- nique that observes novel attacks by luring an attacker to perform malicious activity on a system having no production value, to be deployed in a turn-key fashion and at large scale on enterprise networks. In spite of the honeypot’s efficacy against tar- geted attacks, organizations can seldom afford to devote capital and IT manpower to integrating them into their security posture. Furthermore, misconfigured honeypots can actually weaken an organization’s security posture by giving the attacker a stag- ing ground on which to perform further attacks. A turn-key approach is needed for organizations to use honeypots to trap, observe, and mitigate novel targeted attacks.

Honeynet

Cloud computing

Information security

Computer networks Security measures

Monitorování síťových útoků pomocí systémů honeypot / Monitoring of network attacks with honeypot systems

Krula, Jiří

January 2016

This thesis focuses on the topic of honeypots technology and their use for network attacks monitoring. It theoretically analyzes the honeypots and their variants honeynet and honeytoken. The practical part describes how to deploy two open source solutions of honeypot, Kippo and Dionaea. Kippo honeypot can be classified, despite its limitations, as a high interactive honeypot. This solution emulates the SSH service and it is primarily intended for the detection and capture of brute force attacks on the service. Dionaea is a honeypot designed primarily for capturing malware. It aims to capture malware in the trap using the vulnerabilities of offered and exposed network services with the aim to obtain a copy of the malware for subsequent analysis. Data obtained from the real deployment of the proposed solutions are presented and measures in relation to the SIEM instruments are proposed as well as improved security of the protected network.

Honey-Pot: Systém pro detekci útoků / Honey-Pot: System for Attack Detection

Michlovský, Zbyněk

January 2007

This thesis deals with the area of honeypots and honeynets. It defines their classification and contains detailed descriptions of their properties and features. It further elaborates on several freely available systems. The main focus is given to honeypot Nepethes that was being run for one month on an unfiltered Internet connection. A detailed analysis of the collected data is then given.

Moderní služby honeypot/honeynet pro klasické informační sítě / Honeypot/Honeynet as modern services for classical information networks

Karger, David

January 2020

This work describes honeypots, their definition, clasification and logging possibilities. In the practical part honeypots are tested for the services that are most often attacked, their installation is performed and tests are made for basic familiarization with the functionality of the honeypot. Furthermore, the honeypot is exposed to the Internet and the obtained data are analyzed.