Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches

Teemu Väisänen

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    Abstract

    Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.

    Original languageEnglish
    Title of host publicationECSA 2017 Proceedings of the 11th European Conference on Software Architecture
    Subtitle of host publicationCompanion Proceedings
    PublisherAssociation for Computing Machinery ACM
    Pages125-131
    Number of pages7
    ISBN (Electronic)978-1-4503-5217-8
    DOIs
    Publication statusPublished - 11 Sept 2017
    MoE publication typeA4 Article in a conference publication
    Event11th European Conference on Software Architecture, ECSA 2017 - Canterbury, United Kingdom
    Duration: 11 Sept 201715 Sept 2017

    Conference

    Conference11th European Conference on Software Architecture, ECSA 2017
    Abbreviated titleECSA 2017
    Country/TerritoryUnited Kingdom
    CityCanterbury
    Period11/09/1715/09/17

    Keywords

    • Advanced targeted attacks
    • Categorization
    • Cyber deception
    • Cyber security
    • Decoys
    • Insider threat

    Fingerprint

    Dive into the research topics of 'Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches'. Together they form a unique fingerprint.

    Cite this