Managing Network Security
The Unpredictability Defense
by Fred Cohen
Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
has increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security takes
a management view of protection and seeks to reconcile the need for security
with the limitations of technology.
I was talking with Donn Parker, one of the brilliant carrer
information protection professionals of our age, and he brought up a very
interesting subject. He said, and I hope I don't misquote him, that in
interviewing hundreds of computer criminals who had been caught, a few
things stood out in common. One was that they all act in hard to predict
ways. Another was that they depend on predictability of defenses as a
cornerstone of their attacks. Many of them stated that unless they were
certain of how and when things would happen, they would not commit their
crimes. Furthermore, the way many of them were detected and caught was by
unanticipated changes in the way the defenses worked. If Donn is right, as
he almost always is about such things, a cornerstone of protection
management may be to keep changing the way you do defense.
Most successful technologists spend much of their time understanding
rational and predictable behavior of relatively simple systems (such as
computers, phone systems, networks, and so forth). Most successful managers
spend much of their time understanding the irrational and harder to predict
behavior of people. It is this irrational (read unpredictable) behavior of
people that makes technical defenses so difficult to perfect. Like the
Turing machines inability to reliably predict whether a program will halt,
the technical defense's inability to anticipate all possibilities limits
its ultimate success.
While unpredictability of attackers makes defense far more difficult
than it would otherwise be, unpredictability is a sword that cuts both ways.
Most attackers depend on the predictability of the systems they attack for
their success. For example, one of the resons that "social engineering"
(read lying to get what you want) works so well is that the responses of
most honest people are predictable. If you present a situation where the
wrong thing seems like the right thing, most people will do the wrong thing.
Similarly, most confidence games depend on the predictability of the victim.
The perfect mark is someone who wants to get rich and who will take risks to
do so. Greedy people have similar behaviors and that is how that attackers
take advantage of them.
In order to make unpredictability work for the defender, the defense has
to be unpredictable enough to deter and detect attacks. For example, one of
the most effective auditing techniques is the unannounced audit. Announced
or periodic audits give the bad guys time to cook the books, remove their
Trojan horses, erase their tracks from the audit trails, and so forth. This
is particularly effective against the insider threat.
The same unpredicatability principle can be used to make all sorts of
attacks more difficult and more likely to be detected. While this technique
has been applied in many areas, one of the areas it has only rarely been
used in is the area of technical network protection.
The History of Technical Network Security Deception
Deception has had a long and prestigious history in technical defenses
of networks, but dispite its great successes, it is not as widespread as
other sortsof defenses.
Why Deception Defense Has Not Been Widely Used
Maybe the reason is that we have taught defenders to try to build
perfect defenses, or perhaps it's because any hole is considered a major
hole because it introduces the potential for such rapid and widespread
expansion. But I think there are a few other reasons...
- Many consider it uncouth to use deception in defense. They assert, in
essence, that if you can't build a perfect defense, you need to learn to be
better at your job.
- Many defenders consider it a badge of honor to face all attackers head-on so
to speak. In other words, if you can't take the direct attack, you are somehow
not as good.
- Some people feel that deception is dishonest in some way and that this is
the thing we are trying to fight against. The notion of using lies to defeat
lies seems somehow to make the defenders no better than the attackers.
- Some defenders feel it is a form of entrapment - or an attractive
nuisence. In other words, they maintain that the attackers wouldn't attack
these systems if they didn't appear to be vulnerable.
- Many people have seen that real experts carry off such defenses in
special cases but feel that it's too hard for them to do well. They believe
that if they are not careful, it can introduce more problems than it solves.
- When you create things that appear to be vulnerabilities, you have to
watch it all the time to see people trying to attack. Some people think that
this means a lot of extra work.
- Many defenders feel that this sort of defense is no good against insiders
because the insiders presumably know the difference betwen the deceptions
and the real things they are trying to attack.
Before I address these particular concerns, I want to introduce you to
the Deception ToolKit (DTK). DTK is a free toolkit for creating deceptive
defenses against Internet-based attacks. It is available for free from over
the Internet (details follow) and I offer it up for your consideration.
The Deception ToolKit
The Deception ToolKit (DTK) is a toolkit designed to give defenders a
couple of orders of magnitude advantage over attackers. It can be found at
the / Web site where you can
download the DTK Version 0.0 software for free.
The basic idea is not new. We use deception to counter attacks. In the
case of DTK, the deception is intended to make it appear to attackers as if
the system running DTK has a large number of widely known vulnerabilities.
DTK's deception is programmable, but it is typically limited to producing
output in response to attacker input in such a way as to simulate the
behavior of a system which is vulnerable to the attackers method. This has
a few interesting side effects:
- It increases the attacker's workload because they can't easily tell
which of their attack attempts works and which fail. For example, if an
attack produces what appears to be a Unix password file, the attacker would
normally run "Crack" to try to break into the system. But if the password
file is a fake, it consumes the attackers time and effort to no result.
- It allows us to track attacker attempts at entry and respond before
they come across a vulnerability we are susceptible to. For example, when
the attacker tries to use a known Sendmail attack against our site, we record
all of their entries to track their techniques. With this deception in
place, we have no problem picking up port scans, password guessing, and all
manner of other attack attempts as they happen.
- It sours the milk - so to speak. If one person uses DTK, they can see
attacks coming well ahead of time. If a few others start using it, we will
probably exhaust the attackers and they will go somewhere else to run their
attacks. If a lot of people use DTK, the attackers will find that they need
to spend 100 times the effort to break into systems and that they have a
high risk of detection well before their attempts succeed.
- If enough people adopt DTK and work together to keep it's deceptions up
to date, we will eliminate all but the most sophistocated attackers, and
all the copy-cat attacks will be detected soon after they are released to the
wide hacking community. This will not only sour the milk, it will also up the
ante for would-be copy-cat attackers and, as a side effect, reduce the "noise"
level of attacks to allow us to more clearly see the more serious attackers and
track them down.
- If DTK becomes very widespread, one of DTK's key deceptions will become
very effective. This deception is port 365 - which we have staked a claim
for as the deception port. Port 365 indicates whether the machine you are
attempting to connect to is running a deception defense. Naturally, attackers
who wish to avoid deceptive defenses will check there first, and eventually,
simply running the deceptive defense notifier will be adequate to eliminate
many of the attackers. Of course some of us defenders will not turn on the
deception anouncement message so we can track new attack attempts by those who
avoid deceptive defenses, so... the attacker's level of uncertainty rises, and
the information world becomes a safer place to work.
What The DTK Gets You
Remember the objections to deceptive defense? I thought it might be worth
going over them again with some counterpoints.
- If you can't build a perfect defense... All defenses today in common
operating environments imperfect. Deception offers the potential to do a
better job without paying a lot of money or reducing functionality.
- If you can't take the direct attack, you are somehow not as good... But
if you can avoid a direct attack or detect it before it becomes serious, you
are even better! Deception offers the potential to avoid direct attack and
makes the enemy more visible from further away from their goal.
- Deception is dishonest. In fact, deception doesn't have to be dishonest.
In DTK, we provide the "deception port" to tell people who want to know whether
you are running deceptive defenses. On the other hand, when people are lying,
cheating, and stealing, is it really so bad to catch them before they succeed?
- The attackers wouldn't attack these systems if they didn't appear to be
vulnerable... On the other hand, until they try to attack, they can't tell
they are vulnerable, so they fired first. Defending a system is no more an
invitation to attacks than wearing nice clothing is an invitation to throw
mud on you.
- It's too hard for them to do well... With DTK, it's not hard to provide
a moderate level of deceptive defense. Even if it only reduces the attackers
by a small amount, it might well be worth the effort to make the attackers
that much less certain.
- When you create things that appear to be vulnerabilities, you have to
watch it all the time to see people trying to attack. DTK provides you with
notification so you don't have to watch all the time, but in fact, if people
are attacking your systems on a regular basis, the only successful defense
available today involves watching the systems very carefully. Deception makes
this easier to do because it provides a margin of safety and the potential
for warning before damage is done.
- No good against insiders... In fact, except for the insiders that know
specifically what you have chosen for deception and those who go very
carefully, deception works as well as for outsiders. Even more importantly,
if they know you are using deception to catch people, it increases their
uncertainty level and makes it more risky for them to attack. This will
eliminate many of the insiders who only do things because they feel
comfortable that they can get away with it.
Summary and Conclusions
DTK is only one example of a deceptive defense. There are many deception
techniques in widespread use today, ranging from "sting" operations to fake
cameras. They act as a deterrent to crime by making the criminal less certain
and detecting crimes and criminals before they cause serious harm.
While deception is not the end all to network protection, it appears that
deception is a viable technique and one worth exploring. It can be simple,
inexpensive, and effective, and it benefits the good guys while making it
harder on the bad guys.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National
Laboratories and a Managing Director of Fred Cohen and Associates in
Livermore California, an executive consulting and education group
specializing information protection. He can be reached by sending email to
fred at all.net or visiting /