Air Force goes after cyber deception technology

["Dave Farber" <dave () farber net>]

---------- Forwarded message ---------
From: Dewayne Hendricks <dewayne () warpspeed com>
Date: Fri, Jan 20, 2017 at 9:42 AM
Subject: [Dewayne-Net] Air Force goes after cyber deception technology
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>


Air Force goes after cyber deception technology

Air Force Research Lab (AFRL) enlists security vendor Galios to develop a
cyber deception system

By Michael Cooney

Jan 19 2017

<
http://www.networkworld.com/article/3159704/security/air-force-goes-after-cyber-deception-technology.html
>



A little cyber-trickery is a good thing when it comes to battling network
adversaries.



The Air Force Research Lab (AFRL) tapped into that notion today as it
awarded a $750,000 grant to security systems developer Galios to develop a
cyber deception system that will “dramatically reduce the capabilities of
an attacker that has gained a foothold on a network.”



Specifically, Galios will develop its Prattle system for the Air Force.
Galios describes Prattle as a system that generates traffic that misleads
an attacker that has penetrated a network: making them doubt what they have
learned, or to cause them to make mistakes that increase their likelihood
of being detected sooner.



“To generate this traffic, Prattle starts with observations of local
traffic, and then generates traffic indistinguishable from existing
traffic, but subtly modified to meet the administrator’s goals. This
additional information can be used to direct adversaries toward fake
workstations or servers, for example, and/or to distract them from real
search terms or operational priorities” Galios says.



> From Galios: “We thus refer to the traffic generated by Prattle as false
signal, to stress the difference between it and the more easily
distinguished noise. Further, we seek to generate realistic traffic that is
intentionally designed to cause the adversary to take some action that is
to our advantage.



For example, Galios says it might use false signal to:



        • Improve the utility of honeypots, IDS, SIEM, DLP or other
solutions by pushing adversaries to act in a way that makes them easier to
detect.

        • Watermark documents or other data in such a way that the
introduced data can tie an adversary to a location or time.

        • Obfuscate the details of high-value information such as designs,
plans, source code, or financial data by introducing small variations upon
real documents transiting the network.

        • Misdirect an adversary from the real interests and efforts of an
organization.



With the grant Galois and Tufts University will lead the research efforts
into high fidelity network protocol emulation, while Galois’ subsidiary
Formaltech, Inc. will serve as a subcontractor on the grant. Formaltech’s
CyberChaff cyber deception system – which creates decoy devices on networks
that appear as valid, active devices to attackers – will be one
commercialization strategy and implementation target for the Prattle
project.



The grant is actually Phase 2 of the AFRL’s program. In Phase I of the
project, the project team showed how the Prattle prototype generates highly
realistic traffic based on observations of local traffic. Phase II will
focus on expanding the generation capability across a wider variety of
protocols, and using “honey data” – data tailor-made to misdirect the
attacker – to cause them to take some action that is to our advantage,
Galois stated.



The AFRL work is not the only security deception work going on. Last year
the advanced technology developers from the Intelligence Advance Research
Projects Activity (IARPA) office put out a Request For Information about
how to best develop better denial and deception technologies – such as
honeypots or deception servers for example -- that would bolster cyber
security.



“Adapting deception to support the engagement of cyber adversaries is a
concept that has been gaining momentum, although, the current state of
research and practice is still immature: many techniques lack rigorous
experimental measures of effectiveness, information is insufficient to
determine how defensive deception changes attacker behavior or how
deception increases the likeliness of early detection of a cyber attack,”
IARPA said in a statement.



[snip]



Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170120224026:560BB0F4-DF8B-11E6-8B13-D3BC80566C93
Powered by Listbox: http://www.listbox.com