Categorization Of Cyber Security Deception Events For Measuring The Severity Level Of Advanced Targeted Breaches

Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external attackers hidden into the systems as well as insider threats. Decoys are resources that should not be normally accessed. They raise alerts and provide information when systems have been compromised. Decoys can be used for learning about automated malicious tools and behavior of the adversaries, as well as to slow down the attacks. This paper tries to solve the following challenges. Deception tools usually raise only certain severity level alerts, which have been selected manually or hard coded into implementations. This means that telling the difference in severity between two alerts coming from different decoys may be difficult. However, on the other hand the second challenge is that alerts coming from decoys may tell too much information for malicious administrators (insider threats). In fact, many times it would be not necessary to tell the type or actual location of decoys at all. Third challenge is difficulty of monitoring the attack phases during time. For giving solutions for all three challenges, this paper proposes an automated categorization for severity of information coming from decoys. The proposed categorization can be used together with existing cyber security deception tools (such as honeypots, honeynets or honeytokens) to provide addition information for alerts. The categorization uses a decoy severity level, which is calculated from the criticality of locations of the actual decoy, a bait leading to it and a key enabling the access to the bait or the decoy. Usually external attacks start against the easiest targets, but insider threat may in fact access the most critical information right away. In addition to this, presented categorization wants to improve the situational awareness by giving more information for measuring the level of the adversaries in advanced targeted attacks, and thus helping with the third challenge. The proposed approach and categorization have been tested with propotype including a combination of webpage type of honeytokens, URL type of baits leading to them, and encryption keys and user credentials enabling access to the baits. Two different implementation approaches have been demonstrated. The results show that combining additional severity measurement information together with security alerts indeed improves the situational awareness. The results of the research can be used to improve existing deception tools and ways of logging of events, or to create new deception tools, as well as to improve information that would be shown in various visualization tools.