Attackers always had the higher ground in the cyber space. To infiltrate systems, they can use a variety of social engineering tricks, combined with low cost automated attacks. It is time for defenders to make a stand, with something that will give the attackers a hard time: to complement the traditional preventive, detective and corrective security controls, they can now use the deceptive security technology!
Inspired by the use of deception in the military domain, this technology aims to mislead attackers: engineers embed some carefully crafted deceptive elements in their networks, databases, or applications. The purpose is to introduce misleading functionalities that will only be activated in the event of a cyber-attack. If well designed, the deceptive elements will attract the attention of individuals who are maliciously probing the system for vulnerabilities.
Once an attack is detected, a set of actions can be taken, for instance the attacker’s session can be routed into a “honeypot”. This means to route attackers to a separate fictitious application instance, whose database is pre-filled with fake, but realistic data. In this way if the attacker is able to find a vulnerability, a data breach would have no consequence. This would also enable security engineers to monitor the attacker’s behavior, and developers to fix vulnerable code as soon as flaws are found.
Although the security community has increased considerably its interest in deception, there are several fundamental questions left open. For instance, what are the most promising deceptive elements to add to a web application? How to make really sure the deceptive elements are ‘invisible’ to normal users, so you don’t have false positive, while still effective? How would attackers perceive deceptive elements? How would they react, if they believe deception is enabled?
The SunDEW project
Aiming at answering the above questions, SAP security researchers Merve Sahin, Cedric Hebert and Anderson Santana de Oliveira conducted a study during the SAP Cyber security month last year (October 2019), and the results are discussed in a paper that has been presented at the MADWeb 2020 workshop, February 2020, San Diego, California.
Leveraging the Capture the Flag platform developed by the SAP Global Security Education team (read this post about it), they deployed a specific set of challenges to test certain hypotheses. In particular, a vulnerable web application was created and deployed in the CTF platform, containing certain deceptive elements that re-route the participant to a clone instance of the web app. If the participant managed to hack the application, being in the real or in the clone instance would reveal a different flag. In addition, another vulnerable application was deployed as a control group, to see how the participants’ behavior changes when they are aware of the deceptive elements.
These two challenges were part of a 1-month CTF competition, which includes overall 50 challenges in various categories (e.g., web, binary analysis, forensics, cryptography) and more than 400 players participating globally. 98 participants attempted to solve the SunDEW challenge, which allowed the test to be conducted.
A threat modeling exercise was performed to decide which kind of deceptive elements to use, and how and when to monitor them. Different possible attacks have been considered, such as directory bruteforcing, weak account passwords, insecure direct object reference, and attempts at privilege escalation.
As part of the study, a survey was proposed only to participants who were able to find a flag (either the real, or the flag in the application clone). From the survey, the researchers found that the effectiveness of the deceptive elements decreases when the participants are aware of them (that is, attackers try to guess and avoid the traps), but despite (or because of) this, among the participants who were able to solve the challenge, 85% have changed their attack strategy due to being aware of deception and 60% of participants had difficulty to work around it. The most common reaction was to avoid scripted attacks as well as avoiding using known attack automation tools – meaning they refrained themselves and lost in efficiency – yet this did not prevent a large part of them from being trapped anyway!
This work allowed to identify the most effective and most frequently triggered deceptive elements – in other words, how to use the application deception technology to push the attackers towards manual work rather than using automation tools, and to be more careful in their interactions with the application.
Another lesson learned is that, for a more robust defense system, one needs to design the deceptive elements well intertwined with the application, as well as to design response actions that are realistic and that makes the deceptive elements look functional. These are directions that the SAP Security Research team now started working on
Today, the adoption of deceptive technology by industries is very low. This score can be explained by the fact that deploying such solutions into productive environments has a non-negligible cost, while their efficiency is yet to be demonstrated. SAP Security Research believes that deception has the potential to become an effective defense layer and is working on lowering the adoption barrier. They plan to address the performance overhead of the framework and to conduct more experiments in real-world deployments. You are invited to read the full paper to get more details on the solution as well as on the research challenges yet to overcome to make deception a reality.
Based on the work of:
Merve Sahin, Cedric Hebert, Anderson Santana de Oliveira.
Discover how SAP Security Research serves as a security thought leader at SAP, continuously transforming SAP by improving security.