Hacking Book | Free Online Hacking Learning


research on intrusion detection technology based on deception defense

Posted by verstraete at 2020-04-05

Deception defense is a new network defense strategy for defenders to observe the behavior of attackers. It can expose itself by tricking attackers and malicious applications, so that researchers can design effective protective measures. Deception defense technology can enhance or even replace threat detection and response products (TDR), and can provide low false positive and high-quality monitoring data. Therefore, when building their own threat detection capabilities, enterprise security personnel should seriously consider adding deception defense technology into their security defense system.

In the traditional security defense cognition, the defender needs to ensure 100% security of all assets, while the attacker only needs to seize one opportunity to gain results. But the deception defense technology is the opposite of the traditional security model. Unless the attacker is 100% correct, he / she will be tripped by the "mine". However, the defender is more lucky. The attacker can clearly understand the attacker's information only by tripping once.


How deception defense tools work

The spoofing defense platform has a centralized management system, which is used to create, distribute and manage the whole spoofing environment and various spoofing elements, mainly including workstation, server, equipment, application, service, protocol, data and user elements. Although these elements are virtual, they are almost the same as real assets, so they can be used as bait to attract attackers.

Figure 1 how deception defense tools work

1) Security team

Security teams play an important role in the whole process, they need to be clear about the protection objectives of the enterprise organization, as well as monitoring alerts from spoofing tools. In addition to the normal functions of deception defense, some mature enterprise organizations have extended it to some more complex scenarios, such as generating local Threat Intelligence, threat tracking or active defense. Once a specific scenario is selected, the deception defense technology will enhance the overall defense technology by setting some parameters. Firstly, a large number of deception asset content can be artificially produced; secondly, a realistic environment can be set to improve the deception fidelity; finally, the deception asset trap will be deployed to the appropriate location.

2) Deception tool

Once you figure out which type of spoofing activity to deploy, the next step is to produce and deploy the corresponding "traps.". These traps can be virtual "fakes", decoys, etc. common types of deception scenes include:

(1) Trap: fake network, fake VLAN and fake subnet.

(2) Decoy: fake server and PC.

(3) Honeypot: forgery of data, folders, documents, identities or users.

However, the complexity of each type of deception scenario is different, as shown in the following figure:

Figure 2 complexity of different types of deception scenarios

In order to create a "fake" that looks both real and trustworthy, the spoofing defense tool will check several information repositories of the enterprise, such as active, directory, CMDB database, etc., to understand the naming, asset status and other information that the enterprise is using. Once a spoofing scenario is built, the spoofing defense tool will manage its deployment through its own "management system", such as through virtualization deployment or cloud service deployment.

3) Attacker

Attackers usually use one of Lockheed Martin's "kill chain" methods to attack. The deployment of deceptive defense products in some parts of the entire attack process can expose the attacker. These stages are:

(1) Reconnaissance phase: an attacker usually has to contact and investigate an environment before deciding on an action. For example, by Ping the server, you can easily find the software versions that are not patched. But this connectivity, no matter how covert it is, shouldn't happen to the assets used to cheat.

(2) Horizontal movement: at this stage, the attacker moves from one asset to another. Similarly, if the new mobile asset and attack springboard are part of the deception defense, then the attacker will be discovered soon.

(3) Data collection: at this stage, attackers approach their targets. At this time, the attacker is close to the servers and folders that contain valuable data. But these folders and documents are fake. At this time, the system may have sent a warning to the security team about the type of file the attacker is looking for.

(4) Delivery: this phase refers to the transfer of attack weapons to a designated location (e.g. via email attachments, websites or USB drives), but the target is a fake asset (e.g. a fake server in a VLAN).


Five practice scenarios of deception defense tools

Enterprise organizations should determine which detection scenarios are related to them according to their maturity, as shown in the following figure:

Figure 3 practice scenario of deception defense tools


Basic threat detection

The simplest scenario for deception defense is to provide basic threat detection by deploying simple trigger sensors and normally untouched controls.

This scenario is applicable to small and medium-sized enterprises and provides basic alerts against potential threats in the enterprise. Some enterprises may already have Siem products. In this case, fraud prevention tools can provide Siem with high-value data information to supplement detection coverage. For enterprises that have not yet deployed relevant detection tools, deception prevention tools may be the first step to build effective threat detection capabilities.

Although these deception defense products are low interaction and low credibility, they can still effectively detect immature attackers. Such scenes have the following characteristics:

Table 1: basic threat detection practice scenario


Advanced threat detection and response

As the means of attackers become more and more complex, although the low interaction deception defense tool is acceptable, it has to be said that the high credibility deception tool is becoming more and more important. Enterprises can look for suppliers who can integrate with EDR, FW, soar products and provide high reliability deception tools.

Advanced threat detection and response scenarios are suitable for small and medium-sized enterprises that want to start threat detection and response in the enterprise. SMEs usually do not have Siem, ueba and security tools such as security choreography, automation and response (soar). At the same time, this scenario is also suitable for more mature enterprise organizations to supplement their deficiencies in the current enterprise security testing.

Due to the low false alarm rate of spoofing defense tools, enterprises can easily enable automatic operations to prevent attacks in time. For example, isolate the endpoint or close the port in the firewall without sending the event to Siem, SOC for classification and response.

Scenarios that provide advanced threat detection and response have the following characteristics:

Table 2: Advanced threat detection and response practice scenarios


Output IOC and mrti

In this scenario, we will carefully observe the attackers to understand their operation mode and intelligence, and provide valuable local threat intelligence information for enterprises. This scenario is more suitable for mature enterprise organizations, which usually already have a threat intelligence analysis team.

Such a mature enterprise organization can look for deceptive tools that can provide high interaction and high reliability. In addition, they need to look for tools that can automatically or guide the generation of local Threat Intelligence by observing the behavior of attackers. The whole process includes how to organize intelligence (Stix) and how to transmit intelligence (taxii).

Such scenes have the following characteristics:

Table 3: output IOC and mrti practice scenarios


Integrated active threat entrapment

Pre emptive threat trapping is usually based on a hypothesis that needs to be proved. For example, "is there an attacker hiding here?" or "if I'm an attacker, I'll work like this" or "check if the attacker has a foothold in his own intranet."

A targeted deception activity can find hidden attackers, especially when the deception tool provides an irresistible decoy. This scenario is suitable for very mature enterprise organizations, which have stable SOC and want to enhance the threat trapping capability of the security team.

Threat trapping is usually a highly interactive and dynamic activity, so it is necessary to minimize the "Hunter" downtime. This is a very effective tool to support continuous, active and non time sensitive threat tracking.

Such scenes have the following characteristics:

Table 4: practice scenario of comprehensive active threat entrapment


Active attack defense

In this scenario, the deception tool constructs a battlefield for the defenders to benefit them and leads the attackers to the battlefield.

This scenario is only suitable for very mature organizations, which have strong SOC, strong threat intelligence and threat detection functions, as well as rich experience in penetration testing and other red blue confrontation. In fact, organizations should have the ability to build battlefields and conduct real-time war with attackers at any time.

In this scenario, the enterprise looks for a supplier that provides high interactivity and high reliability deception tools. The flexibility of the platform is the key, as is the programmability of the API driver.

Such scenes have the following characteristics:

Table 5: practice scenario of active attack and defense


Security value of deception Defense Technology


Threat detection without big data

Deception defense tools detect threats by simulating "correct data" access, which is quite different from Siem, ueba or NTA technologies that need to find threats from "big data". Deception tools use the right data method, not the big data method.

So far, threat detection methods mainly rely on big data methods. This requires enterprises to obtain as much monitoring data as possible from all corners, and analyze the data set as much as possible to expose potential threats. It turns out that this approach is valuable, but at a cost. Log centralization, log storage and log analysis are very resource consuming.

Deception defense deals with threat detection in different ways. Spoofing tools will deploy a spoofing defense system throughout the organization in the form of forgery or decoys. Once the attacker interacts with these decoys, the security personnel will receive information about the attacker. Take the micro honeypot of sinomeni cloud as an example, which allows the host to monitor each port, so as to expand the monitoring range. Through the honeypot configuration with small consumption and wide coverage, the probability of discovering hacker's attack will be greatly increased.


Let the lucky balance lean to the defender

Under normal circumstances, defenders need to make sure that they are 100% correct, while attackers only need to be lucky to find a vulnerability to maintain a leading network security posture in other aspects. And deception defense makes defenders more advantageous. For example, in the investigation stage, even if most of them are completed offline, attackers need to randomly contact some systems. These light touch behaviors will not trigger Siem and ueba alarms. But if any system contacted has a spoofing defense content, then the attack will be found. Attackers need to be particularly lucky to reach their goals.

In addition, for organizations that are worried about being breached even though they already have detection solutions, deception may be the only way to find attackers. Deployment of spoofing artifacts may be the only way to capture an attacker when the detection solution is unable to discover the attacker's operational behavior, or when ueba considers the existence of the attacker's behavior to be normal. Similarly, cheating can skew luck to the defensive side.


Reduce false alarms and make work more effective

By design, deception defenses are usually silent when not in use. This is different from most security solutions, which are designed to analyze all activities, and any misjudgment of good activities will lead to false positives.

In a few cases, false positives may occur. For example, vulnerability management scanning tools may accidentally find cheating systems, touch them and generate false positives. But this can be solved by adding a white list address to the scan tool.

Generally speaking, there are fewer false positives generated by deception tools than many detection methods, but the cost is not fully covered. Deployment of spoofing to all locations is too expensive and impractical, so security personnel need to balance the density of spoofing systems through deployment and operational costs based on coverage requirements and budget.

Concluding remarks:

This paper briefly introduces an intrusion detection technology based on deception defense. Enterprises can use deception tools as an alternative to conventional threat detection, which can greatly improve the quality of alarm. Select scenes that are consistent with their TDR functional maturity, and identify tool features related to their situation.

Of course, deception defense technology itself still has some limitations. The most important is infrastructure coverage. Any assets that do not have spoofed controls deployed will not be protected accordingly. For those malicious insiders who have an understanding of the environment, they can carry out precise attack without random and dangerous reconnaissance stage. An organization needs to weigh and accept fraud coverage based on available resources, especially when it is the only threat detection tool deployed.