Cyber Deception after Detection: Safe observation environment using Software Defined Networking

BSidesLV 2019

Presented by: TORU SHIMANAKA
Date: Wednesday August 07, 2019
Time: 15:30 - 15:55
Location: Proving Ground

Many cybersecurity textbooks dictate that we disconnect from the network when a compromised PC is detected. In the case of sophisticated attacks like an APT, however, we can benefit significantly if we can observe how the adversary performed their attack and understand their TTPs and eventually their purposes and intentions. To realize these benefits, the observation needs to be conducted safely and covertly so that the adversary continues the attack.

We propose a new technique that transfers the attack to a safe observation environment without alerting the adversary so that we can keep observing their activity in real time. We propose first to prepare the Deception Network (D-Net) configured identically to the Operational Network (O-Net).

After a compromise is detected, the relevant network packets are modified so that communications between the compromised PC and the O-Net are seamlessly redirected into the D-Net, minimizing any further compromise of operational data and assets. In order to not let the adversary knows that their attack was transferred from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking technology.

TORU SHIMANAKA

Toru Shimanaka is a Security Researcher at Fujitsu System Integration Laboratories. Toru has over 20 years of experience developing workstations, routers and network switches as a software engineer. His interests over the past five years are cyber range and cyber deception. Toru has gave presentation in HICSS-52 and BSides Sendai in the past.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats