Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches

Teemu Väisänen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

Abstract

Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.

Original languageEnglish
Title of host publicationECSA 2017 Proceedings of the 11th European Conference on Software Architecture
Subtitle of host publicationCompanion Proceedings
PublisherAssociation for Computing Machinery ACM
Pages125-131
Number of pages7
ISBN (Electronic)978-1-4503-5217-8
DOIs
Publication statusPublished - 11 Sep 2017
MoE publication typeA4 Article in a conference publication
Event11th European Conference on Software Architecture, ECSA 2017 - Canterbury, United Kingdom
Duration: 11 Sep 201715 Sep 2017

Conference

Conference11th European Conference on Software Architecture, ECSA 2017
Abbreviated titleECSA 2017
CountryUnited Kingdom
CityCanterbury
Period11/09/1715/09/17

Fingerprint

Cryptography
Websites
Information systems
Visualization
Monitoring
Botnet

Keywords

  • Advanced targeted attacks
  • Categorization
  • Cyber deception
  • Cyber security
  • Decoys
  • Insider threat

Cite this

Väisänen, T. (2017). Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches. In ECSA 2017 Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings (pp. 125-131). Association for Computing Machinery ACM. https://doi.org/10.1145/3129790.3129805
Väisänen, Teemu. / Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches. ECSA 2017 Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings. Association for Computing Machinery ACM, 2017. pp. 125-131
@inproceedings{74d5b44560e5430da45dd1eab116b1df,
title = "Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches",
abstract = "Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.",
keywords = "Advanced targeted attacks, Categorization, Cyber deception, Cyber security, Decoys, Insider threat",
author = "Teemu V{\"a}is{\"a}nen",
year = "2017",
month = "9",
day = "11",
doi = "10.1145/3129790.3129805",
language = "English",
pages = "125--131",
booktitle = "ECSA 2017 Proceedings of the 11th European Conference on Software Architecture",
publisher = "Association for Computing Machinery ACM",
address = "United States",

}

Väisänen, T 2017, Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches. in ECSA 2017 Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings. Association for Computing Machinery ACM, pp. 125-131, 11th European Conference on Software Architecture, ECSA 2017, Canterbury, United Kingdom, 11/09/17. https://doi.org/10.1145/3129790.3129805

Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches. / Väisänen, Teemu.

ECSA 2017 Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings. Association for Computing Machinery ACM, 2017. p. 125-131.

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

TY - GEN

T1 - Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches

AU - Väisänen, Teemu

PY - 2017/9/11

Y1 - 2017/9/11

N2 - Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.

AB - Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.

KW - Advanced targeted attacks

KW - Categorization

KW - Cyber deception

KW - Cyber security

KW - Decoys

KW - Insider threat

UR - http://www.scopus.com/inward/record.url?scp=85037746770&partnerID=8YFLogxK

U2 - 10.1145/3129790.3129805

DO - 10.1145/3129790.3129805

M3 - Conference article in proceedings

SP - 125

EP - 131

BT - ECSA 2017 Proceedings of the 11th European Conference on Software Architecture

PB - Association for Computing Machinery ACM

ER -

Väisänen T. Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches. In ECSA 2017 Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings. Association for Computing Machinery ACM. 2017. p. 125-131 https://doi.org/10.1145/3129790.3129805