using deception to enhance security: a taxonomy, model, and novel uses -- thesis defense

Using Deception to Enhance Security: A Taxonomy, Model and Novel Uses

Mohammed H. Almeshekah

Thesis Defense

Special Thanks!

• To my advisors:

• Prof. Eugene Spafford

• Prof. Mike Atallah

• To my committee members:

• Prof. Sam Wagstaff

• Prof. Matt Bishop

Introduction

A Holistic Overview of Security Defenses

Computer System Defenses

Denial and Isolation (1) Prevent unauthorized

access. (2) Hide the existence

and/or the nature of systems and/or data.

Degradation and Obfuscation (1) Slow down the

attackers. (2) Prevent and reduce the

recovery. (3) Obfuscate the value/

nature of systems and/or data.

(4) Create noise around valuable data.

Deception and Negative Information (1) Lead the attackers

astray. (2) Add decoys. (3) Add doubt to the

data obtained by the adversary.

(4) Increase the risk of attacking computer systems.

Attribution and Counter Operation (1) Attributing adversaries. (2) Cause damage to

attackers. (3) Increase overall risk in

attacking our systems.

Status Quo

• Breaches:

• 84% of these attacks took hours or less to infiltrate.

• 66% of breaches took months or years to discover.

• Defenses:

• Only 5% of these breaches were detected using traditional tools.

Using Deception as a Defensive Mechanism

Traditional Security Defenses

Narrowing down the attack path!

WhackYour

Attacker

Security Tools

Computer System

Deception-Based Defenses

• Traditional security (negative clues) and deception (positive clues) work in tandem.

• Humans are not good at detecting deception:

• Detecting deception by college students → 57%

• Detecting deception by law enforcement → 54%

Uniques Advantages of Using Deception

Previous Uses of Deception

• Used as ad-hoc attempt:

• Deception has been mainly used as “trapping” or “deterrence” tools.

• Trojan Horses, Phishing, XSS, XSRF and others have long been effective.

• Deception is Effectively Used in Many Areas of Computing.

Dissertation Overview

Framework for Using Deception in Security

Defenses

A Framework

Deception Framework (3) Exploit Attacker’s Biases

What are the plausible responses to the attack and which ones should

you use?

Deception Framework (4) Apply Deception

Make your system lie

Deception Framework (4) Apply Deception

Deception Framework (8) Monitoring and Dynamic Adjusting

Continuous monitoring and dynamic adjustment based on the attacker’s

response

Deceptive Covert Channel

A Password Dangerous Trip

MitB MitM

Information Asymmetry Context-less Authentication

User wants to access

Banks want me to access.

Information Asymmetry Contextual Authentication

Public Network?

Email link?

….

Dynamic Decisioncontext

Goals of Using Such Channel

• Limit passwords exposure.

• Communicate the user’s authentication context.

• Incorporate covert messages in the protocol that are totally oblivious to any part observing.

A Deceptive Covert Communication

• We will use an accumulation function A() that can be realized using modular exponentiation.

• A(x1, x2) = A(x2, x1).

• Computing A(A(x1), x2) doesn’t require the knowledge of x1, and = A(x1, x2).

• Current systems store h = H(passwd || salt).

A Deceptive Covert Communication Check whether username exists?

if usernameExists(): R = randomNonce() key = A(h, R) x = HMACkey(A(R), s, id) Send QR(A(R), x, s, id) id = Serverid

A Deceptive Covert Communication Check the integrity of QR

h = Hash(passwd || salt) key = A(A(R), h) x’ = HMACkey(A(R), s, id) if x == x’ -> route (b) else -> route (a)

A Deceptive Covert Communication Covert message

code = A(A(R), h, msgs)

A Deceptive Covert Communication Verifying the code

code’ = A(A(R), h, possible msgs)

check code =? code’

Comparison

Ersatzpassword

A Password Lifecycle

Insider Threat/Compromise

Passwords Files are Attractive Target

• Evernote reported the leakage of the hashed passwords for more than 50 million users

• Other attacks against Yahoo, RockYou, LinkedIn and eHarmony has been reported.

• Passwords cracking is often a precursor to more significant attacks.

Ersatzpasswords Goals

• Eliminate the possibility of an offline passwords cracking.

• Detect the leakage of users’ passwords.

• Proactively detect accounts impersonation attempts.

Technical Specification — One-Time Initialization

• Instantaneously store all passwords in a machine dependent format.

[ ui , αi , si ]↓

HDF(αi) ↓

βi = H(HDF(αi) || si) ↓

[ ui , βi , si ]

αi = H(pi || si)

Technical Specification — Injecting Ersatzpasswords

• When the user is logging-in:

ui , pi↓pi*↓

si’ = HDF(pi || ui) ⊕ pi*↓

βi’ = H[ pi* || si’],↓

[ ui , βi’, si’]

[Choose an erstazpassword]

[Compute a new salt]

, pi* = HDF(pi || ui) ⊕ si’

Technical Specification — Login

• The user enters her username (ui) and password (pi).

• The systems checks:

• If H[ (HDF(pi || ui) ⊕ si’) || si’] equals βi’ → correct login.

• If H(pi || si’) equals βi’ → ersatzpassword login.

• else → incorrect username/password.

Three Main Properties

• Checking a password requires access to HDF → thwarting offline cracking.

• Cracking returns an ersatzpassword for every account → triggering an alarm at the server when used.

• Maintain the same format of the password file → deceiving the attacker.

Ersatzpasswords Properties

• Plausibility

• Non-Deducibility

• Typo-Resilience

• Crackable

• Policy Adherence

Implementation

• We used YubiHSM.

• HDF(p) := HMAC-SHA1k(p)

• Implemented as a modified pam_unix in an OpenBSD OS.

Performance Analysis

Normal OpenBSD Modified OpenBSD

Password update

Authentication

Deceptiver

Web Applications

• Verizon DBIR identified web application attacks as the most common incident in 2013 accounting for 35% of all incidents.

• Gartner states that more than 70% of threats are at the web application layer

Deceptiver

Deceptiver vs. Honeypots

• Instantaneous reflecting the current production state.

• Honeypots are yet another set of systems that need to be administered and updated.

• Honeypots need to keep copies of different individual resources where deceit is injected.

Deceptiver Responses

1. Traps

•Administrative resources (e.g. .htaccess).

• Isolated resource.

•Meta/Hidden data.

•Known Vulnerabilities.

2. Active deceptive responses

•Performance.

•Public data.

•Software and services

Implementation

Performance Analysis

Performance Analysis — 2

• Further investigating performance showed that 9 lines of codes take %99.2 of execution time.

• All of those are querying the mySQL database.

Future Work

The role of biases

This Dissertation

Modeling the use of deception

The creation of deceit

Deception Metrics

Advanced tools

Economical and ethical

issues

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• The role of Deception. • A framework to plan and

integrate deception. • Three practical tools.

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• In defending computer systems. • In protecting users. • Further investigating cultural and

organization biases.

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• Using game theoretical models (e.g. hypergames).

• Where to apply deception within the kill-chain.

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• Cost/benefit analysis. • Externality effects. • Lying to regular users.

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• Measuring plausibility, deductibility, confusion and other characteristics.

Future Work

The role of biases

This Dissertation


The creation of

deceit

Deception Metrics

Advanced tools


issues• How to create believable

fake information?

Future Work

The role of biases

This Dissertation



Deception Metrics

Advanced tools


issues

• Deceptive file system. • Deceptive patches. • Deceptive system calls.

Publications• M. Almeshekah, C. Gutierrez, M. Atallah and E. Spafford, “ErsatzPasswords – Ending Passwords

Cracking” (under review).

• M. Almeshekah, M. Atallah and E. Spafford, “Enhancing Passwords Security using Deceptive Covert Communication,” International Conference on ICT Systems Security and Privacy Protection, IFIP SEC’15, May 26-28, 2015, Hamburg, Germany.

• M. Almeshekah and E. Spafford, “Using Deceptive Information in Computer Security Defenses,” International Journal of Cyber Warfare and Terrorism (IJCWT), 4 (3), 46-58, July-September 2014, IGI Global.

• M. Almeshekah and E. Spafford, “Planning and Integrating Deception into Computer Security Defenses,” New Security Paradigms Workshop (NSPW’14), 15-18 September 2014, Victoria, BC, Canada.

• M. Almeshekah and E. Spafford, “The Case of Using Negative (Deceiving) Information in Data Protection,” in Proceedings of the 9th International Conference on Cyber Warfare and Security ICCWS-2014, ISSN: 2048-9870, Academic Conferences and Publishing International Limited, March 2014.

• M. Almeshekah, M. Atallah, and E. Spafford, “Back channels can be useful! – layering authentication channels to provide covert communication,” SPW’13, in Security Protocols XXI (B. Christianson, J. Malcolm, F. Stajano, and J. Anderson, eds.), vol. 8263 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2013.

Thanks! Questions?

using deception to enhance security: a taxonomy, model, and novel uses -- thesis defense

Technology