-
Act as a Honeytoken Generator! An Investigation into Honeytoken Generation with Large Language Models
Authors:
Daniel Reti,
Norman Becker,
Tillmann Angeli,
Anasuya Chattopadhyay,
Daniel Schneider,
Sebastian Vollmer,
Hans D. Schotten
Abstract:
With the increasing prevalence of security incidents, the adoption of deception-based defense strategies has become pivotal in cyber security. This work addresses the challenge of scalability in designing honeytokens, a key component of such defense mechanisms. The manual creation of honeytokens is a tedious task. Although automated generators exists, they often lack versatility, being specialized…
▽ More
With the increasing prevalence of security incidents, the adoption of deception-based defense strategies has become pivotal in cyber security. This work addresses the challenge of scalability in designing honeytokens, a key component of such defense mechanisms. The manual creation of honeytokens is a tedious task. Although automated generators exists, they often lack versatility, being specialized for specific types of honeytokens, and heavily rely on suitable training datasets. To overcome these limitations, this work systematically investigates the approach of utilizing Large Language Models (LLMs) to create a variety of honeytokens. Out of the seven different honeytoken types created in this work, such as configuration files, databases, and log files, two were used to evaluate the optimal prompt. The generation of robots.txt files and honeywords was used to systematically test 210 different prompt structures, based on 16 prompt building blocks. Furthermore, all honeytokens were tested across different state-of-the-art LLMs to assess the varying performance of different models. Prompts performing optimally on one LLMs do not necessarily generalize well to another. Honeywords generated by GPT-3.5 were found to be less distinguishable from real passwords compared to previous methods of automated honeyword generation. Overall, the findings of this work demonstrate that generic LLMs are capable of creating a wide array of honeytokens using the presented prompt structures.
△ Less
Submitted 24 April, 2024;
originally announced April 2024.
-
Evaluating Deception and Moving Target Defense with Network Attack Simulation
Authors:
Daniel Reti,
Karina Elzer,
Daniel Fraunholz,
Daniel Schneider,
Hans-Dieter Schotten
Abstract:
In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving…
▽ More
In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.
△ Less
Submitted 25 January, 2023;
originally announced January 2023.
-
SCANTRAP: Protecting Content Management Systems from Vulnerability Scanners with Cyber Deception and Obfuscation
Authors:
Daniel Reti,
Karina Elzer,
Hans Dieter Schotten
Abstract:
Every attack begins with gathering information about the target. The entry point for network breaches are often vulnerabilities in internet facing websites, which often rely on an off-the-shelf Content Management System (CMS). Bot networks and human attackers alike rely on automated scanners to gather information about the CMS software installed and potential vulnerabilities. To increase the secur…
▽ More
Every attack begins with gathering information about the target. The entry point for network breaches are often vulnerabilities in internet facing websites, which often rely on an off-the-shelf Content Management System (CMS). Bot networks and human attackers alike rely on automated scanners to gather information about the CMS software installed and potential vulnerabilities. To increase the security of websites using a CMS, it is desirable to make the use of CMS scanners less reliable. The aim of this work is to extend the current knowledge about cyber deception in regard to CMS. To demonstrate this, a WordPress Plugin called 'SCANTRAP' was created, which uses simulation and dissimulation in regards to plugins, themes, versions, and users. We found that the resulting plugin is capable of obfuscating real information and to a certain extent inject false information to the output of one of the most popular WordPress scanners, WPScan, without limiting the legitimate functionality of the WordPress installation.
△ Less
Submitted 25 January, 2023;
originally announced January 2023.
-
The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World
Authors:
Simon Daniel Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and org…
▽ More
Operational Technology (OT)-networks and -devices, i.e. all components used in industrial environments, were not designed with security in mind. Efficiency and ease of use were the most important design characteristics. However, due to the digitisation of industry, an increasing number of devices and industrial networks is opened up to public networks. This is beneficial for administration and organisation of the industrial environments. However, it also increases the attack surface, providing possible points of entry for an attacker. Originally, breaking into production networks meant to break an Information Technology (IT)-perimeter first, such as a public website, and then to move laterally to Industrial Control Systems (ICSs) to influence the production environment. However, many OT-devices are connected directly to the Internet, which drastically increases the threat of compromise, especially since OT-devices contain several vulnerabilities. In this work, the presence of OT-devices in the Internet is analysed from an attacker's perspective. Publicly available tools, such as the search engine Shodan and vulnerability databases, are employed to find commonly used OT-devices and map vulnerabilities to them. These findings are grouped according to country of origin, manufacturer, and number as well as severity of vulnerability. More than 13000 devices were found, almost all contained at least one vulnerability. European and Northern American countries are by far the most affected ones.
△ Less
Submitted 27 November, 2021;
originally announced November 2021.
-
Secure (S)Hell: Introducing an SSH Deception Proxy Framework
Authors:
Daniel Reti,
David Klaaßen,
Simon Duque Anton,
Hans Dieter Schotten
Abstract:
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an atta…
▽ More
Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
Escape the Fake: Introducing Simulated Container-Escapes for Honeypots
Authors:
Daniel Reti,
Norman Becker
Abstract:
In the field of network security, the concept of honeypots is well established in research as well as in production. Honeypots are used to imitate a legitimate target on the network and to raise an alert on any interaction. This does not only help learning about a breach, but also allows researchers to study the techniques of an attacker. With the rise of cloud computing, container-based virtualiz…
▽ More
In the field of network security, the concept of honeypots is well established in research as well as in production. Honeypots are used to imitate a legitimate target on the network and to raise an alert on any interaction. This does not only help learning about a breach, but also allows researchers to study the techniques of an attacker. With the rise of cloud computing, container-based virtualization gained popularity for application deployment. This paper investigates the possibilities of container-based honeypots and introduces the concept of simulating container escapes as a deception technique.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
Deep Down the Rabbit Hole: On References in Networks of Decoy Elements
Authors:
Daniel Reti,
Daniel Fraunholz,
Janis Zemitis,
Daniel Schneider,
Hans Dieter Schotten
Abstract:
Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and…
▽ More
Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and intrusion detection systems. Particularly insider threats may be mitigated with deception methods. While current approaches consider the use of multiple decoy elements as well as context-sensitivity, they do not sufficiently describe a relationship between individual elements. In this work, inter-referencing decoy elements are introduced as a plausible extension to existing deception frameworks, leading attackers along a path of decoy elements. A theoretical foundation is introduced, as well as a stochastic model and a reference implementation. It was found that the proposed system is suitable to enhance current decoy frameworks by adding a further dimension of inter-connectivity and therefore improve intrusion detection and prevention.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
Application of Virtualization Technologies in Novel Industrial Automation: Catalyst or Show-Stopper?
Authors:
Michael Gundall,
Daniel Reti,
Hans D. Schotten
Abstract:
Industry 4.0 describes an adaptive and changeable production, where its factory cells have to be reconfigured at very short intervals, e.g. after each workpiece. Furthermore, this scenario cannot be realized with traditional devices, such as programmable logic controllers. Here the use of well-proven technologies of the information technology are conquering the production hall (IT-OT convergence).…
▽ More
Industry 4.0 describes an adaptive and changeable production, where its factory cells have to be reconfigured at very short intervals, e.g. after each workpiece. Furthermore, this scenario cannot be realized with traditional devices, such as programmable logic controllers. Here the use of well-proven technologies of the information technology are conquering the production hall (IT-OT convergence). Therefore, both virtualization and novel communication technologies are being introduced in the field of industrial automation. In addition, these technologies are seen as the key for facilitating various emerging use cases. However, it is not yet clear whether each of the dedicated hardware and software components, which have been developed for specific control tasks and have performed well over decades, can be upgraded without major adjustments. In this paper, we examine the opportunities and challenges of hardware and operating system-level virtualization based on the stringent requirements imposed by industrial applications. For that purpose, benchmarks for different virtualization technologies are set by determining their computational and networking overhead, configuration effort, accessibility, scalability, and security.
△ Less
Submitted 16 November, 2020;
originally announced November 2020.
-
Creating it from SCRATCh: A Practical Approach for Enhancing the Security of IoT-Systems in a DevOps-enabled Software Development Environment
Authors:
Simon D Duque Anton,
Daniel Fraunholz,
Daniel Krohmer,
Daniel Reti,
Hans D Schotten,
Franklin Selgert,
Marcell Marosvölgyi,
Morten Larsen,
Krishna Sudhakar,
Tobias Koch,
Till Witt,
Cédric Bassem
Abstract:
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed…
▽ More
DevOps describes a method to reorganize the way different disciplines in software engineering work together to speed up software delivery. However, the introduction of DevOps-methods to organisations is a complex task. A successful introduction results in a set of structured process descriptions. Despite the structure, this process leaves margin for error: Especially security issues are addressed in individual stages, without consideration of the interdependence. Furthermore, applying DevOps-methods to distributed entities, such as the Internet of Things (IoT) is difficult as the architecture is tailormade for desktop and cloud resources. In this work, an overview of tooling employed in the stages of DevOps processes is introduced. Gaps in terms of security or applicability to the IoT are derived. Based on these gaps, solutions that are being developed in the course of the research project SCRATCh are presented and discussed in terms of benefit to DevOps-environments.
△ Less
Submitted 28 October, 2020;
originally announced October 2020.
-
Demystifying Deception Technology:A Survey
Authors:
Daniel Fraunholz,
Simon Duque Anton,
Christoph Lipps,
Daniel Reti,
Daniel Krohmer,
Frederic Pohl,
Matthias Tammen,
Hans Dieter Schotten
Abstract:
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
Deception boosts security for systems and components by denial, deceit, misinformation, camouflage and obfuscation. In this work an extensive overview of the deception technology environment is presented. Taxonomies, theoretical backgrounds, psychological aspects as well as concepts, implementations, legal aspects and ethics are discussed and compared.
△ Less
Submitted 17 April, 2018;
originally announced April 2018.