Testing Deception Tactics in Response to Cyberattacks

Abstract

Deception can be a useful tool in defending computer systems against cyberattacks because it is unexpected and offers much variety of tactics. It is particularly useful for sites of critical infrastructure for which multiple defenses are desirable. We have developed an experimental approach to finding deceptive tactics for system defense by trying a variety of tactics against live Internet traffic and seeing what responses we get. These experiments are easiest to do on a honeypot, a computer system designed solely as an attack target. We report on three kinds of experiments with deceptive honeypots: one with modifying attack packets using Snort Inline, one with scripted responses to attacks using Honeyd, and one with a fake Web site. We found evidence of responses to our deceptions, sometimes in the form of increased session lengths and sometimes by disappearance of attackers. Some benefit was obtained by varying the deceptions over time. These results are encouraging for developing more comprehensive automated deception strategies for defending computer systems, and provide a new experimentation methodology for systematically developing deception plans.