The paper illustrates how using deception can combat the two key forms of cyberattacks — those built for data exfiltration (advanced persistent threats) and those for resource exfiltration (advanced persistent mining). APTs focus on curtailing availability, integrity and confidentiality of data. APMs (also called cryptojacking attacks), meanwhile, are attacks that use another system’s resources to accomplish a cost-heavy task — for instance, bitcoin mining, which has massive associated energy and computing power costs.
“What we came up with is this new paradigm of looking at cyber defense using pretense,” Calyam said. “We are unique in this aspect in coming up with the paradigm of pretense in cyber defense; in addition, we are using machine learning techniques (that require minimal to none human intervention) to effectively detect and defend against data and resource exfiltration attacks within small-to-large scale enterprise networks.”
This study utilizes child psychology methods and research to develop methods of misdirection and subterfuge that can confuse an attacker just long enough to allow for a more effective defense.
The goal of pretense is to focus an attacker’s resources on a quarantined area of the system that isn’t valuable and keeping legitimate users in a safe area of the system. The pretense thus helps in buying time to shore up an intelligent defense of valuable data and resources to deter the attacker to launch more vigorous attacks on valuable data and resource assets. For APTs, this can involve giving attackers a dummy target, allowing resources to shift to where the actual valuable information is stored. The goal is to keep the attacker assuming that the attack is still succeeding while a scheme is devised to stop the attack as close to the source as possible.
“The more deeply they are in, the more they have the ability to go many directions. It becomes like a Whack-A-Mole game. But if you get to their hand, they cant whack,” Calyam explained.
For APMs, attackers are typically already in the system and can lay dormant for years until they need a system’s resources. They usually attack nodes on several systems, creating a pool of resources to use for their cryptojacking deeds. These attacks have grown in frequency in the last few years and are more long-term in nature.
“We cleverly make the computational resource slow,” Calyam said of APM defense. “We add artificial traffic or load to that node that’s been attacked. The attacker doesn’t know we found them. But we make the resource so unappealing that they will unload it from their cryptojacking pool.”
The use of pretense is the latest tool in an ongoing sophisticated battle between cyberattackers and companies of all sizes who depend on computing resources and want to protect their valuable data assets.
“The reality is that even big companies have been vulnerable, everybody we can imagine has fallen” Calyam said. “In this attacker-defender game, what we try to do to win is use our defense [resource budget] more wisely and try to mitigate the impact of the attacker’s attack [resource budget].”