Biblio
In recent years, persistent cyber adversaries have developed increasingly sophisticated techniques to evade detection. Once adversaries have established a foothold within the target network, using seemingly-limited passive reconnaissance techniques, they can develop significant network reconnaissance capabilities. Cyber deception has been recognized as a critical capability to defend against such adversaries, but, without an accurate model of the adversary's reconnaissance behavior, current approaches are ineffective against advanced adversaries. To address this gap, we propose a novel model to capture how advanced, stealthy adversaries acquire knowledge about the target network and establish and expand their foothold within the system. This model quantifies the cost and reward, from the adversary's perspective, of compromising and maintaining control over target nodes. We evaluate our model through simulations in the CyberVAN testbed, and indicate how it can guide the development and deployment of future defensive capabilities, including high-interaction honeypots, so as to influence the behavior of adversaries and steer them away from critical resources.
Distributed Denial of Service attacks against high-profile targets have become more frequent in recent years. In response to such massive attacks, several architectures have adopted proxies to introduce layers of indirection between end users and target services and reduce the impact of a DDoS attack by migrating users to new proxies and shuffling clients across proxies so as to isolate malicious clients. However, the reactive nature of these solutions presents weaknesses that we leveraged to develop a new attack - the proxy harvesting attack - which enables malicious clients to collect information about a large number of proxies before launching a DDoS attack. We show that current solutions are vulnerable to this attack, and propose a moving target defense technique consisting in periodically and proactively replacing one or more proxies and remapping clients to proxies. Our primary goal is to disrupt the attacker's reconnaissance effort. Additionally, to mitigate ongoing attacks, we propose a new client-to-proxy assignment strategy to isolate compromised clients, thereby reducing the impact of attacks. We validate our approach both theoretically and through simulation, and show that the proposed solution can effectively limit the number of proxies an attacker can discover and isolate malicious clients.