A case study about the use and evaluation of cyber deceptive methods against highly targeted attacks

2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident) Pub Date : 2017-06-19 DOI:10.1109/CYBERINCIDENT.2017.8054640

Alexandria Farar, Hayretdin Bahsi, Bernhards Blumbergs

{"title":"A case study about the use and evaluation of cyber deceptive methods against highly targeted attacks","authors":"Alexandria Farar, Hayretdin Bahsi, Bernhards Blumbergs","doi":"10.1109/CYBERINCIDENT.2017.8054640","DOIUrl":null,"url":null,"abstract":"Traditional defences such as intrusion detection systems, firewalls and antivirus software are not enough to prevent security breaches caused by highly targeted cyber threats. As many of these attacks go undetected, this paper shows the results of a case study which consists of implementation of a methodology that selects, maps, deploys, tests and monitors the deceptions for the purpose of early detection. Metrics are developed to validate the effectiveness of the deception implementation. Firstly, various deception mechanisms are mapped to the first three phases of the intrusion kill chain: reconnaissance, weaponization and delivery. Then, Red Teams were recruited to test the deceptions for two case scenarios. Applying metrics, it is shown that the deceptions in the case studies are effective in the detection of cyber threats before the target asset was exploited and successful in creating attacker confusion and uncertainty about the organization’s network topology, services and resources.","PeriodicalId":298850,"journal":{"name":"2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CYBERINCIDENT.2017.8054640","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Traditional defences such as intrusion detection systems, firewalls and antivirus software are not enough to prevent security breaches caused by highly targeted cyber threats. As many of these attacks go undetected, this paper shows the results of a case study which consists of implementation of a methodology that selects, maps, deploys, tests and monitors the deceptions for the purpose of early detection. Metrics are developed to validate the effectiveness of the deception implementation. Firstly, various deception mechanisms are mapped to the first three phases of the intrusion kill chain: reconnaissance, weaponization and delivery. Then, Red Teams were recruited to test the deceptions for two case scenarios. Applying metrics, it is shown that the deceptions in the case studies are effective in the detection of cyber threats before the target asset was exploited and successful in creating attacker confusion and uncertainty about the organization’s network topology, services and resources.

查看原文本刊更多论文

针对高度针对性攻击的网络欺骗方法的使用和评估案例研究

传统的防御措施，如入侵检测系统、防火墙和杀毒软件，不足以防止由高度针对性的网络威胁造成的安全漏洞。由于许多此类攻击未被发现，本文展示了一个案例研究的结果，该案例研究包括一种方法的实施，该方法可以选择、映射、部署、测试和监控欺骗行为，以便及早发现。开发了度量来验证欺骗实现的有效性。首先，将各种欺骗机制映射到入侵杀伤链的前三个阶段:侦察、武器化和交付。然后，红队被招募来测试两种情况下的欺骗。应用度量，案例研究表明，在目标资产被利用之前，欺骗手段在检测网络威胁方面是有效的，并成功地使攻击者对组织的网络拓扑、服务和资源产生困惑和不确定性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident)

自引率

0.00%

发文量