Timothy Barron PhD Thesis Defense
Addressing the Imbalance Between Attackers and Defenders Using Cyber Deception
Abstract: Cyber security researchers and professionals struggle with an uneven playing field when defending against threats. Ideally, defenses aim to cover all possible attacks, but an attacker may only need one vulnerability to do damage. Adding to this challenge is the fact that defenses used in practice are often known to attackers, but the full range of techniques and exploits used by attackers remain a mystery to analysts. This thesis explores cyber deception, the role it plays in this imbalance, and how we can leverage it to demystify attackers' methods and improve defenses.  

The first part of this thesis entails a large-scale study of attacker behavior on SSH honeypots where we varied system properties to create different levels of believability. This work demonstrates one way deception can be used to learn about attack patterns, but we also show that the level of deception is important and may influence the behavior of human attackers. The second part of this thesis demonstrates methods that use deception as a real time defense. Prior work using decoy files demonstrates that an attacker lacking intimate knowledge of the files present would need to distinguish between deceptive and real files in order to exfiltrate information. We extend this idea to the Web, with a system capable of adding a layer of security to existing Web applications. Users can transform existing parts of the application that they use infrequently into tripwires, or inject new deceptive tripwire elements. These methods force hackers to expend more time and effort in order for their attacks to succeed.

Finally, we present deceptive methods carried out by malicious actors with Internet domain names. Prior work has shown that attackers often re-register expired domains to deceive old clients that are still sending residual traffic to them. Our contributions have shown specific cases where misplaced trust in domain names can be used to hijack DNS nameservers and bypass otherwise secure Content Security Policies. We also show that by prematurely deleting domain names, malicious registrants can hide evidence of short-term malicious use, and deceive forensic investigators. As a result, other domains involved in large-scale malicious campaigns are more difficult to discover and take down.