HOW COULD DECEIVING TECHNIQUES BE USED AGAINST CYBER ATTACKS
FADI ABU ZUHRI
INTRODUCTION
Deception refers to actions that are deliberately performed by the senders to make the receiver have a different belief from what the sender considers to be true so as to disadvantage the actions of the sender. It involves planned actions pursued so as to present false information to the attacker making them advance the action that would lead to defense to the computer system (Spafford, 2016). Deceiving techniques are techniques that falsify the perception of reality. These techniques could be deliberate, accidental, or self-induced. Deliberate deception has been used as a defense to the system especially when the deception is intended to disadvantage the attacker. In most situations deception may include the process of hiding the real, dissimulation, displaying the false and simulation. Some of the deceiving techniques used against cyber attacks include masking, repackaging, dazzling, mimicking, inventing, and decoying (Almeshekah, 2015; Spafford, 2016). This article explores how these deceiving techniques may be used against cyber attacks.
MASKING
In masking, the real is masked by ensuring that the relevant object is undetected and in some cases, blended to form an irrelevant background. A privatized message sent to a group email could have a message written in a white font and white background. There are also cases where a malicious JavaScript is embedded in the form of white space in a benign looking JavaScript (Almeshekah & Spafford, 2014).
Masking has been used in situations where the attackers hide the damaging scripts by having the same text and background colour. Hiding the software and services makes it possible for the user to hide the services being run especially when they notice any suspicious activity.
REPACKAGING
Repackaging technique has a role in hiding reality in a way such that an object may be made to appear different from its real self. An example is a situation where repackaging is used when a cyber-attack is made to appear bold with a friendly and official headline to lure the receiver to open the message. In other cases, a remailer made anonymous could be used in replacing the real identification of the sender and the information using an email message.
Repackaging techniques may be used as a defense mechanism. In some cases, the attacker may use repackaging techniques to deceive a user. For example, the Cross-Site Scripting (XSS) uses repackaging technique when a dangerous post is presented as harmless so as to steal the cookies of users when they access such a post. Repackaging has also been used in Cross-Site Request Forgery (XSRF), where some attacker deceives the user into some attractive web pages that silently probes the user into taking part in unwanted activities. Further, repackaging techniques have been used by some attackers that pose themselves as anti-virus software so as to deceive the users into installing them for them to take control of the user’s machines (Almeshekah & Spafford, 2014).
As a defense mechanism, repackaging may create files called “Honey-files” that may be presented as normal files that act as alarms to the system administrators when they are accessed by attackers. Honey-files may also be used by attackers, where enticing names are targeted to the computer systems and act as a beaconing technique to the user who will access those files.
DAZZLING
Dazzling is a technique that induces confusion such as obfuscation and randomization of the identified elements. The technique aids in hiding what is real by ensuring that the process of identifying the object is less certain through the resulting confusion on the true nature. An example is an encrypted channel which makes use of obfuscation by hiding the message despite the clear sent message. Honey-words proposal is a dazzling scheme used to hide real passwords in a list of several fake passwords providing the attacker different passwords to choose from, where a single password would be the true one. If an attacker uses any of the stolen passwords on the system, an alarm would be generated to alert the administrators of the stolen passwords (Juels & Rivest, 2013).
MIMICKING
Mimicking is a simulation technique known to invent the false by imitating the traits of real and relevant traits of an object. For instance, an attack could be associated with some webpage, which may appear valid and similar to a reputable firm, yet the object is a malicious web page established by an attacker.
To offer defense against attackers, mimicking softwares and services may be applied to a system mimicking the response given to another system. For example, the system would respond as though it is Windows XP, yet it is Windows 7. As such, the resources of the attackers would be wasted as they exploit Windows XP instead of Windows 7 (Murphy, McDonald, & Mills, 2010).
INVENTING
The inventing simulation technique deals with the inventing of the false through the creation of the perception that relevant objects may exist, yet in reality, the real object may not be in existence. Inventing simulation techniques have been used in Honeypots where a Honeypot provides the appearance of a subnet machine having specific addresses, when in fact there isn’t any real IP address.
Honeypots have been used widely in several applications that offer security like in the detection of spam and inhibiting the operations of spamming activities. They have also been used in the analysis of malware and securing of different databases. Today, the use of Honeypots is applied in mobile environments. The two major types of Honeypots are the client and server Honeypots. Client Honeypots have been reported to be vulnerable user agents that influence several servers actively so as to detect a compromised system. When a compromised system is detected, the client service will be able to send information to the server regarding the infected users. The server Honeypots, on the other hand, have no vital information and may be created in a way to appear vulnerable so as to entice the attackers into attacking them. The application of Honeypots in security system has been applied in detection of an attack, prevention of attack, in research, and in the provision of the required response (Almeshekah & Spafford, 2014).
In the detection of attacks, Honeypots are used in mechanisms such as intrusion detection systems, which are more accurate in detection than traditional mechanisms (Almeshekah & Spafford, 2014). Honeypots have the ability to generate minimum logging data since they are not used for daily operations, and their interactions tend to be illicit. Shadow Honeypots, for example, have yielded positive results when they were used in the detection architecture. In their operation, sensors that detect anomaly were placed next to the system where decisions were made on the destination of the given request. Several security systems have attempted to integrate Honeypots into the real system by having suspicious traffic moved to the shadow system for more investigation. Honeypots have also been used in the detection of wide attacks on the system.
Studies on the prevention of cyber-attack indicate that Honeypots are useful since they reduce the speed of the attackers and in some case hindering their activities. Dormant IP is an example of a Honeypot that has been used in slowing down the attacker by interacting with them. A study by Chen et al. (2008) reported that the use of deception toolkits might help confuse the attackers, hindering them from reaching the server, and even sending some risks to the attacker’s side. Honeypots use traps and enticements to offer security to the system. Other studies in the field report the use of Honeypots in offering deterrence. Honeypots offer protection to the system by hindering the attacker from access. The success of Honeypots has resulted in the creation of anti-Honeypots mechanisms that use methods that offer deterrence.
Honeypots are effective in offering a response to the system. The independence gained by the use of Honeypots could be easily analyzed and disconnected after a continuous attack on them. A Honeypot system will end up hindering the system of production. In a forensic analysis, Honeypots are useful in the sense that they preserve the state of the attacker on the system giving room for conducting an analysis of what happened (Almeshekah & Spafford, 2014).
In research, Honeypots are used in looking for new types of malware and analyzing them. Depending on the type of attack, it would be possible to develop a security tool that will help improve the security. For example, Honeypots have been used to offer different security signatures. Some of the tools designed to capture the identity of the computer malware include dionea, which stores the identity of malware. Also, Honeypots offer a deep understanding of the common type of attacks.
DECOYING
Decoying is a simulation technique used to attract attention away from the relevant objects. Decoying has been used in a situation where a webpage is given false yet believable information on some basic systems so as to attract the attention of the user away from the source of the real data. In some cases, Honeypots may make the attacker believe that one system of an organization is vulnerable thus capturing the attention of the attackers (Carroll & Grosu, 2011).
CONCLUSION
Deceiving techniques have been used widely in offering protection against cyber attacks. A single process of deception may have dissimulation and simulation techniques that hide the real but making sure that the false is seen by the attacker. The attacker pattern needs to be analyzed to settle on the specific deceiving technique in use. Application of the deceiving techniques discussed in this article will offer the system defense against attackers.
While finding evidence is key, doing it legally is equally important. It is possible that the use of deceiving techniques to catch a criminal may be considered illegal in certain jurisdictions. For example, an intruder could claim the Honeytrap served as an entrapment. Additionally, privacy issues need to be considered (Yasinsac & Manzano, 2002).
1.Al Kawasmi, E., Arnautovic, E., & Svetinovic, D. (2015). Bitcoin‐Based Decentralized Carbon Emissions Trading Infrastructure Model. Systems Engineering , 18 (2), 115-130.
2.Almeshekah, J. (2015). Using Deception to Enhance Security: A Taxonomy, Model and Novel Uses. PhD thesis, Purdue University.
3.Almeshekah, M., & Spafford, E. (2014). Using Deceptive Information in Computer Security Defenses. International Journal of Cyber Warfare and Terrorism , 4 (3), 46-58.
4.Baur, A. W., Bühler, J., Bick, M., & Bonorden, C. S. (2015). Cryptocurrencies as a disruption? empirical findings on user adoption and future potential of bitcoin and co. In Conference on e-Business, e-Services and e-Society (pp. 63-80). Springer International Publishing.
5.Burniske, C., & White, A. (2017, January). Bitcoin: Ringing the bell for a new asset class. Retrieved 2017, from Ark Invest: http://research.ark-invest.com/bitcoin-asset-class
6.Carroll, T., & Grosu, D. (2011). A Game Theoretic Investigation of Deception in Network Security. Security and Communication Networks , 4 (10), 1162–1172.
7.Chen, X., Andersen, J., Mao, Z., & Bailey, M. (2008). Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware. IEEE International Conference on Dependable Systems and Networks, (pp. 177–186).
8.Clinton, P. (2014, March). Driving a Drug Dealer’s Car. Retrieved 2017, from http://www.government-fleet.com/channel/procurement/article/story/2014/03/driving-a-drug-dealer-s-car.aspx
9.Gao, X., Clark, G. D., & Lindqvist, J. (2016). Of Two Minds, Multiple Addresses, and One Ledger: Characterizing Opinions, Knowledge, and Perceptions of Bitcoin Across Users and Non-Users. Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, (pp. 1656-1668). Santa Clara, California.
10.Juels, A., & Rivest, R. (2013). Honeywords: Making Password-Cracking Detectable. SIGSAC Conference on Computer & Communications Security (pp. 145–160). ACM.
11.Kostakis, V., & Giotitsas, C. (2014). The (A) political economy of Bitcoin. Communication, Capitalism & Critique. Open Access Journal for a Global Sustainable Information Society , 12 (2), 431-440.
12.Lopez, G. (2016, September 24). You are way more likely to be killed by deer than by sharks, bears, and gators combined. Retrieved 2017, from https://www.vox.com/2016/9/24/13032272/killer-animals-deer-sharks-bears
13.Muncaster, P. (2017, June 15). World’s Largest Bitcoin Exchange Bitfinex Crippled by DDoS. Retrieved 2017, from https://www.infosecurity-magazine.com/news/worlds-largest-bitcoin-exchange/
14.Murphy, S., McDonald, J., & Mills, R. F. (2010). An Application of Deception in Cyberspace: Operating System Obfuscation. 5th International Conference on Information Warfare and Security, (pp. 241–249).
15.Rogojanu, A., & Badea, L. (2014). The issue of competing currencies. Case study–Bitcoin. Theoretical and Applied Economics , 21 (1), 103-114.
16.Spafford, E. (2016). Some musings on cyber security by a cyber-iconoclast-UNH Alvine Lecture. Retrieved June 11, 2017, from https://m.youtube.com/watch?v=LPBlCJ0zEJc
17.Yasinsac, A., & Manzano, Y. (2002). Honeytraps, a network forensic tool. Sixth Multi-Conference on Systemics, Cybernetics and Informatics. Orlando, Florida, USA.