decoy documents
DESCRIPTION
Null HYD July 2014 meetTRANSCRIPT
Contents
2 of 14
Introduction to decoy documents Threat Model Generating and Distributing bait Questions
Introduction to decoy documents
Decoy Document:“On demand machine generated document. It contains the content to entice the attacker into steeling bogus information”.
Contains: Different types of bogus credentials (Honeytokens) Stealthy beacons Embedded markers
Development: At Intrusion Detection Systems Lab,
Columbia University
3 of 14
4 of 14
Introduction to decoy documents
Basic Idea:
Insider attack.
Detect insider actions against the enterprise system as well as individual hosts and laptops
Report back to the control server or Alerting administrators
Configuring the system and setting policies using management platform
Introduction to decoy documentsExisting solutions:
Blocking exfiltration Prevention techniques
- User modeling and Profiling techniques
e.g. Anomaly detection,
Honeypots, etc.- Policy and access
enforcement techniques
e.g. Limiting the scope Misuse detection
Proposed solutions:
Monitoring and detection techniques are used when prevention technique fails
Trap-based defense mechanisms
Preventive disinformation attack
5 of 14
6 of 14
Threat Model
1. Insider threats Malicious Insiders
-Traitors-Masqueraders-Attacks(e.g., Viruses and worm)
Non-Malicious Insiders
2. Outsider threats Outsider internal network access
-Attacks(e.g., Spyware and rootkits)
Threat Model
Level of Sophistication of the attacker
1. Low - Direct observation 2. Medium - Thorough investigation, decisions based on other,
Possibly outside evidence3. High - Super computers and other informed people who have
organizational information 4. Highly privileged - being aware of baiting and using tools to
analyze, avoid and disable decoys entirely
7 of 14
Generating and Distributing bait
Properties of decoy documents:
Used to guide decoy design and maximize the deception (achieved by hiding) Deception -masking, repacking, dazzling, mimicking, inventing and decoying.
1. Believable - Appearing trueUsing realistic names, addresses and logins
2. Enticing - Highly attractive.Creating decoys based on attacker interest(passwords, credit card numbers).
8 of 14
Properties of decoy documents(contd.):
3. Conspicuous - easily visible or obvious to the eye or mind
4. Detectable - To discover/catch in the performance of some act
5. Variability - The quality of being subject to variation
6. Non-interference - Easily identified by the actual user
7. Differentiable - Constitute a difference that distinguishes
Generating and Distributing bait
9 of 14
Generating and Distributing baitThe Decoy Document Distributor(D3) System :
Generates and places decoy documents within a file system. D3 is integrated with a variety of services to enable monitoring of these decoy documents. http://sneakers.cs.columbia.edu:8080/fog/index.jsp http://www.alluresecurity.com
Types of bait Information - Online banking logins provided by a collaborating financial institutions, - Login accounts for online servers and - Web based email accounts
10 of 14
Generating and Distributing baitDesign of Decoy Document:1. A watermark is embedded in the binary format of the document file to detect when the decoy is loaded in memory, or egressed in the open over a network.
2. A beacon is embedded in the decoy document that signals a remote web site upon opening of the document indicating the malfeasance of an insider illicitly reading bait information.
3. If 1 and 2 fails, the content of the documents contain bait (honeytokens)and decoy information that is monitored as well. Bogus logins at multiple organizations as well as bogus and realistic bank information is monitored by external means.
11 of 14
Generating and Distributing baitImplementation :
1. Honeytokens - e.g., login credentials, banking credentials etc.
2. Beacon - Uses obfuscation technique called Spectrum Shaping - Unique token is used - Document type and rendering environment influences the data collection - The signaling mechanism relies on the document type or stealthily embedded remote image
12 of 14
Generating and Distributing baitImplementation (contd.):
3. Embedded Markers - Constructed as a unique pattern of word tokens uniquely tied to the document creator - The sequence of word tokens is embedded within the beacon document’s meta-data area or reformatted as comments within the document format structure. - The embedded markers can be used in Snort signatures for detecting exfiltration.
13 of 14
Questions?
14 of 14