Using Football Formations in a Honeypot Environment

Transcription

1 Int'l Conf. Security and Management SAM' Using Football Formations in a Honeypot Environment Sebastian Kollmannsperger and Tyrone S. Toland Department of Informatics University of South Carolina Upstate 800 University Way, Spartanburg, SC Kollmans@ .uscupstate.edu, ttoland@uscupstate.edu Abstract Unauthorized access to information continues to be a challenging problem, especially in a time where cyber attacks are on the rise. Current security measures (e.g., access control systems, firewalls, intrusion detection systems) may not be sufficient to protect the information technology (IT) infrastructure from a resourceful malicious attacker. This paper presents a novel approach to embed a football formation into a Honeypot environment. We show how executing football plays in a Honeypot environment can be used to gather information about a malicious attacker. This reconnaissance information can be used to prevent future unauthorized access to sensitive information. We also discuss of our implementation and provide some results from a proof of concept experiment. Keywords Honeypots, Intrusion Detection System, Information Security I. INTRODUCTION Information security has been challenging since humans began exchanging information. For example, cipher has always been discussed in information security. In fact, ciphers were used to encrypt important messages as far back as 50 BC [5]. The advent of the computer required stronger measures to enforce security, which became an even bigger challenge with the rise of the Internet. As companies become inter-connected more and more via the Internet, the challenge of protecting the infrastructure and information becomes an even bigger challenge. Nowadays many different defense mechanisms work together to form a secure system. Firewalls, encryption tools, access control systems, intrusion detection systems as well as other security software contribute to information security in a slightly different way. Schneier [3] identifies three tasks of information security which are prevention, detection and response. All security tools can be assigned to either one of these tasks. Prevention is the attempt to protect resources from danger and harm. Preparations have to be done, to set up mechanisms that protect the IT. The goal is to make it as hard as possible, for intruders and hackers to access resources. Well known prevention tools are firewalls, password protections, encryption tools and digital signatures. When prevention is not effective, detection becomes an important process. With detection, we want to find out if our system was compromised and from where. Detection is therefore like a monitoring tool. However, it does not contribute to the protection of systems, because detection tools act rather passive. An intrusion detection system is an example for a detection system. After an intruder has been detected, we have to react. Every action in a system gets recorded and stored by one of the detection tools. Therefore, also the intruder leaves behind evidences. By analyzing these evidences, we can find out how the attacker got in, what the attacker accessed and what the intruder manipulated. With this information we can take steps to react adequately. Backup and recovery tools are an example of response tools. We now discuss a tool that can be used to assist in securing a computer system. A. Honeypots Compared to other approaches to information security, honeypots are a more aggressive and active form of defense against malicious attacks [2]. Honeypots are defined in different ways. Schneier [3] defines a Honeypot as a security resource whose value lies in being probed, attacked or compromised. This paper defines a Honeypot as an IT resource with the goal to attract potential malicious attackers. That is, any access of the Honeypots is examined and recorded to be used to deter similar attacks from occurring in the future. Contrary to other components of an IT system, it is desired that the Honeypot gets attacked and probed. Since Honeypots are masquerading as sensitive resource, they do not provide any functionality for an organization. Therefore, if a malicious user accesses the Honeypot, then this access can be seen as unauthorized access and therefore as an intrusion [2]. Honeypots can be categorized as either a production honeypot or a research honeypot as follows [3][4]: Production Honeypot: According to the name, these kind of Honeypots are especially used in a production environment. Their main purpose is to gather information for a specific organization about intrusions. They add value to an organizations information security. Research Honeypot: These Honeypots are used principally in a research environment to gather information about potential attackers. They do not add value to a specific organization. Information from Research Honeypots can be used to find out about techniques and resources from attackers

2 300 Int'l Conf. Security and Management SAM'16 which can help to prepare the production system for attacks. B. Value of Honeypots Honeypots are flexible tools and contribute to each one of the three security aspect as follows [4][3]: Prevention: Contrary to the belief of the majority, Honeypots can help to prevent attacks because of deception and deterrence. Deception means, that potential attackers may waste time and resources on honeypots. Without knowing, attackers interact with a honeypot that imitates a valuable resource. During this interaction, organizations have the time to react. After all, attacks can be stopped before even leaking information. Deterrence on the other hand is the effect of scaring off attackers because of the warning effect of Honeypots. When attackers know that an organization uses Honeypots, they may not even try to attack. As we can see, honeypots contribute to the prevention of attacks in a certain degree. Nonetheless, traditional prevention tools like firewalls are more efficient. Detection: Honeypots have the biggest impact in detection. For many organizations, detection is a difficult topic. Schneier [3] identifies three challenges when it comes to detection: false positives, false negatives and data aggregation. False positives are mistakenly reported alerts. This happens, when the system interprets normal network traffic as an attack. The opposite false negatives are attacks, that the system does not notice. Finally, data aggregation is the struggle to collect the data and transform it into valuable information. Common intrusion detection systems struggle in these three aspects. Intrusion detection systems act like a watchdog over a company s IT infrastructure. They monitor the traffic and identify whether an access is authorized or not. Therefore, intrusion detection systems generate a lot of data, resulting in an overload of information. Honeypots however, help us to eliminate these negative aspects. Because every interaction with a honeypot can be seen as unauthorized, honeypots only register these interactions. The problem with data aggregation and false positives can be eliminated. False negatives can still occur, for example if an intrusion does not affect the Honeypot, but this risk can be mitigated by placing the Honeypot in an attracting position. Consequently, Honeypots help us to detect intrusions more effectively. information collected by a Honeypot, we can construct countermeasures to prevent similar attacks from occurring in the future. It should be noted, that the goal of a Honeypot is not to prevent attacks, but to detect them. Therefore, a Honeypot should be combined with other security tools (e.g., firewalls, encryption, password protection). In this paper we discuss how American football plays can be used to gather information about malicious attackers in a honeypot research environment. In particular, we propose using various offensive plays to provide valuable reconnaissance information to defend sensitive information in an infrastructure. This reconnaissance information can be analyzed and used to defend sensitive information in an infrastructure. Our novel approach to mapping football formations into a honeypot research environment can be extended to a networked infrastructure. This paper is organized as follows. In Section II, we discuss a research Honeypot environment. In Section III, we briefly describe a simplified football formation. In Section IV, we show how to map a football formation into a research Honeypot environment. Section V discusses our implementation and results from proof concept experiment. Section VI concludes the paper. II. RESEARCH HONEYPOT ENVIRONMENT Honeypots allow a wide range of application areas. Because of their goal to distract and attract attackers, the best way to use Honeypots is within an IT infrastructure. The probability that an attacker interacts with Honeypots are increased by masquerading as sensitive data. In Fig. 1, we illustrate a Honeypot integrated with other important and possible sensitive IT resources. Fig. 1 is a variation of a model in [4]. Response: After an intrusion is detected, response is the next step to take. Honeypots help us to identify evidences via log files. That is, the user can analyze log files that are generated by Honeypots to find out how the attacker gain access to the system. With the Fig. 1 Honeypot in IT Infrastructure

3 Int'l Conf. Security and Management SAM' The Honeypot is part of the infrastructure similar to other important resources (e.g., mail server, web server). Therefore, the Honeypot distracts and attracts malicious attackers. Assuming that the attacker scans either our web or mail server, the likelihood that the attacker will access the Honeypot is high. III. FOOTBALL OVERVIEW We now provide a brief overview of American Football (football). In American football there are two teams of eleven players. Each team takes turns defending their goal. That is, the defending team wants to prevent the opposing team from taking the football into their end zone to score (e.g., touchdown, field goal, touch back). A. Football Offensive Formation Although in real football there are eleven players per team, we will only consider seven players in this paper. Our offensive formation consists of five players that form the offensive line (OL + ROL). The offensive line has the task of keeping the ball away from the defending team. Behind the offensive line we have the Quarterback (QB) and Running Backs (RB). The job of the QB is to control the play. The Running Back on the other hand tries to outrun the defense. Fig. 2 shows the offense represented a circles. one player of the OL, called the right offensive lineman (ROL). For the purpose of this play, the ROL positions on a different position to be able to perform the play. Fig. 2 shows the starting position. The dashed lines show the running paths of the players. The continuous line shows the path of the ball. So in the first move, the ball travels from the center of the offensive line to the QB. The ROL and RB run their paths. In Fig. 3 we can see the subsequent moves. When the RB crosses the QB, the ball travels from the QB to the RB (1). The next move happens, when the RB crosses the ROL. The ball travels from the RB to the ROL (2). The final move happens, when the ROL crosses the QB. Hereby, the ball goes from the ROL to the QB (3). During the play, the QB does not switch the place. However, the RB and the ROL cross and switch their sides. The ball travels from the center to the QB to the RB to the ROL and back to the QB. The goal of that play is to distract the defenders and create room for the QB to pass the ball. The opponent cannot recognize where the ball is and tackle the wrong player. This distraction has a huge similarity with the way Honeypots work. This is the reason why we chose to map this play onto a Honeypot research environment. Fig. 3 Double Reverse Flea Flicker Moves IV. COMBINING FOOTBALL FORMATIONS and HONEYPOTS Fig. 2 Offensive & Defensive Formation B. Football Defensive Formation The defensive formation consists of five defensive linemen and two Linebacker (LB). The defensive linemen try to attack either the QB or the ball carrier. The LB are there to provide additional support for the defense. Sometimes the LB also try to sack the opposing QB. Ultimately, the goal of the defense is to get the ball and stop the attack. Fig. 2 shows the defense represented as X. C. Double Reverse Flea Flicker The double reverse flea flicker is one of many different football plays. It involves three players, the QB, the RB and Fig. 4 shows how a football formation can be implemented into a research Honeypot environment. As explained in Section 3, Defenders are represented as X s and Attackers are represented as O s. We now map the football formation onto an IT infrastructure whereby the roles change. Now, the Attackers are X s (i.e., they retrieve something) and the Defenders are O s (they protect something). Therefore, in this model the football attackers are playing the role of the defense, while the football defenders play the role of the attackers. The goal now is to protect the ball instead of carrying the ball into the end zone. In our model the ball represents the sensitive data. The Honeypots are masquerading the sensitive data to attract attackers. The defense are protection tools like Firewalls, encryption tools and password protection. The defense protects our infrastructure. This infrastructure consists of three Honeypots (HP1, HP2, and

4 302 Int'l Conf. Security and Management SAM'16 HP3). Since we are working with a research environment, we do not have any production entity. The arrows illustrate unauthorized access. Since every defense mechanism is not completely safe, there may be some traffic coming through the firewall that will access the Honeypots. When this happens, the Honeypots will work together to execute the play in Section 2.3. A. Running the Play in a Honeypot Environment In Fig. 4, HP1 acts like the RB, HP2 acts like the QB and HP3 acts like the ROL. This means, that in the beginning HP2 (i.e., QB) masquerades as a sensitive resource (i.e., ball). So, the attackers try to access HP2. When this happens, we want HP1 to masquerade as a sensitive resource. So, we pass the ball to HP1. This again means that attackers now try to access HP1. Then, we want HP3 to masquerade as a sensitive resource, meaning HP3 becomes the new goal for attackers. Finally, HP2 again masquerades as a sensitive resource. To pass the data between the Honeypots, we will simulate data being active and inactive, which in essence we are not really passing data between the Honeypots. HoneypotManager (HPTM) is a program that sends a message to either activate or deactivate access to sensitive data on HPTS. When data access has been deactivated on a HPTS, then the data access is activated on another HPTS, i.e., data access has moved. HoneypotAttacker (HPTA) is a program that the attacker uses to attempt to access sensitive data on a HPTS. The attacker sends an access message request (i.e., a malicious attack message) to the HPTS. If HPTS has access capability to the sensitive data (i.e., activedata is true), then an active message is generated that contains: A (i.e., access to sensitive data is active), HPTA IP address, the attack message arrival time on HPTS, and the attack message departure time from HPTS. Otherwise, an inactive message is generated that contains: N (i.e., access to sensitive data is not active), HPTA IP address, the attack message arrival time on HPTS, and the attack message departure time from HPTS. B. Experiment We ran our experiment in a test networking lab. To simulate the example in Section IV, we ran HPTS on three computers (i.e., HP1, HP2, and HP3). We ran HPTA on a separate computer to simulate the attacks. On another separate computer, we ran HPTM to activate and deactivate data access on HP1, HP2 and HP3, respectively. For our experiments, HPTS only listens on port Fig. 4 Football Formation mapped in Honeypot Environment V. IMPLEMENTATION and EXPERIMENT We ran an experiment using a framework we implemented in Java 8. A. Implementation To show a proof of concept, we developed the following three programs: HoneypotServer (HPTS) is a program that simulates the honeypot. The program uses a Boolean variable (e.g., activedata) to simulate access to the sensitive data (i.e., the honey). If activedata is true, then the access to sensitive data is available via HPTS; otherwise, if activedata is false, then the sensitive data is currently not available via access of this machine. That is, the sensitive data access has moved to a different machine. This experiment implements Fig. 4. That is, HP2 is initially activated, while HP1 and HP3 are deactivated. The attacker can now search for the active honeypot using HPTA. To accomplish this, the attacker successively tries to connect to the honeypots. Once the attacker finds the active honeypot (i.e., activedata is true), the manager deactivates that honeypot (i.e., activedata is set to false) and then activates the next honeypot in the sequence. Then, the attacker searches for the next active honeypot and the process continues per Fig. 4. Table 1 shows the result from this experiment. The attacker does follow the sequence of the play in Fig. 4 when accessing active data items. As we proposed, we could gather information from the malicious user in Msg 2 at HP2, in Msg 4 at HP1, in Msg 7 at HP3 and in Msg 8 again at HP2. That is, we can gather reconnaissance information from a malicious user at a given machine at a specified time. C. Discussion The experiment shows that our approach is feasible. Our approach provides a guaranteed time interval for which we can evaluate malicious activity. In particular, we can evaluate malicious activity when accessing an active

5 Int'l Conf. Security and Management SAM' honeypot and/or when searching for an active honeypot. Based on Table I, we have extracted a set of active Honeypot access times (1) and a set of time intervals to search for an active Honeypot (2). TABLE I EXPERIMENTAL RESULTS WITH TIMES IN MILLISECONDS Msg# HP# Active IP Address ArrivalTime DepartureTime 1 1 N A N A N N A A We define T FoundHoneypot as a set of access arrival times for which a message arrives at an active Honeypot. We define T SearchingForHoneypot as a set of time intervals in which the attacker is searching for the active Honeypot. 1) T FoundHoneypot = {Msg2.ArrivalTime, Msg4.ArrivalTime, Msg7.ArrivalTime, Msg8.ArrivalTime} 2) T SearchingForHoneypot = {[Msg1.ArrivalTime, Msg2.ArrivalTime], [Msg3.ArrivalTime, Msg4.ArrivalTime], [Msg5.ArrivalTime, Msg7.ArrivalTime]} We defined sets of times which potentially provide more reconnaissance information than conventional Honeypot solutions VI. CONCLUSION We have shown how a football formation can be used to configure a Honeypot environment to gather information about cyber-attacks. We have also provided a proof of concept experiment to show that our approach is feasible. Our novel approach can be used to gather valuable reconnaissance information about single and ultimately coordinated attacks using well established football plays. REFERENCES [1] Cosmell, H. (2011). 9 Football Formations Every Man Should Know. Retrieved February 18, 2016, from [2] Mokube, I., & Adams, M. (2007). Honeypots: Concepts, Approaches, and Challenges. North Carolina: Winston- Salem. [3] Schneier, B. (2000). Secrets and Lies: Digital security in a networked world. New York: John Wiley & Sons. [4] Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley Professional. [5] Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. Cengage Learning. Future research will show, how organizations may use these sets of times to either prevent attacks and/or catch attackers. We further propose that we can use plays from other sports in a Honeypot environment. ACKNOWLEDGEMENT The authors would like to thank Lt. J. Bernard Brewton for his invaluable help in this paper. The authors would also like to thank Dr. Frank Li, Dr. Jerome Lewis, and the Division of Mathematics and Computer Science for the use of their Networking Lab.