SODA: A System for Cyber Deception Orchestration and Automation

Abstract

Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.