Air Force goes after cyber deception technology
Air Force Research Lab (AFRL) enlists security vendor Galios to develop a cyber deception system
By Michael Cooney
Jan 19 2017
A little cyber-trickery is a good thing when it comes to battling network adversaries.
The Air Force Research Lab (AFRL) tapped into that notion today as it awarded a $750,000 grant to security systems developer Galios to develop a cyber deception system that will “dramatically reduce the capabilities of an attacker that has gained a foothold on a network.”
Specifically, Galios will develop its Prattle system for the Air Force. Galios describes Prattle as a system that generates traffic that misleads an attacker that has penetrated a network: making them doubt what they have learned, or to cause them to make mistakes that increase their likelihood of being detected sooner.
“To generate this traffic, Prattle starts with observations of local traffic, and then generates traffic indistinguishable from existing traffic, but subtly modified to meet the administrator’s goals. This additional information can be used to direct adversaries toward fake workstations or servers, for example, and/or to distract them from real search terms or operational priorities” Galios says.
From Galios: “We thus refer to the traffic generated by Prattle as false signal, to stress the difference between it and the more easily distinguished noise. Further, we seek to generate realistic traffic that is intentionally designed to cause the adversary to take some action that is to our advantage.
For example, Galios says it might use false signal to:
• Improve the utility of honeypots, IDS, SIEM, DLP or other solutions by pushing adversaries to act in a way that makes them easier to detect.
• Watermark documents or other data in such a way that the introduced data can tie an adversary to a location or time.
• Obfuscate the details of high-value information such as designs, plans, source code, or financial data by introducing small variations upon real documents transiting the network.
• Misdirect an adversary from the real interests and efforts of an organization.
With the grant Galois and Tufts University will lead the research efforts into high fidelity network protocol emulation, while Galois’ subsidiary Formaltech, Inc. will serve as a subcontractor on the grant. Formaltech’s CyberChaff cyber deception system – which creates decoy devices on networks that appear as valid, active devices to attackers – will be one commercialization strategy and implementation target for the Prattle project.
The grant is actually Phase 2 of the AFRL’s program. In Phase I of the project, the project team showed how the Prattle prototype generates highly realistic traffic based on observations of local traffic. Phase II will focus on expanding the generation capability across a wider variety of protocols, and using “honey data” – data tailor-made to misdirect the attacker – to cause them to take some action that is to our advantage, Galois stated.
The AFRL work is not the only security deception work going on. Last year the advanced technology developers from the Intelligence Advance Research Projects Activity (IARPA) office put out a Request For Information about how to best develop better denial and deception technologies – such as honeypots or deception servers for example — that would bolster cyber security.
“Adapting deception to support the engagement of cyber adversaries is a concept that has been gaining momentum, although, the current state of research and practice is still immature: many techniques lack rigorous experimental measures of effectiveness, information is insufficient to determine how defensive deception changes attacker behavior or how deception increases the likeliness of early detection of a cyber attack,” IARPA said in a statement.