search menu icon-carat-right cmu-wordmark

Network Monitoring and Deceptive Defenses

January 2016 Presentation
Michael Collins (RedJack), Brian Satira (Noblis)

In this FloCon 2016 presentation, the authors discuss the use of network monitoring to support deceptive defenses.

Abstract

In this FloCon 2016 presentation, we discuss the use of network monitoring to support deceptive defenses. In the context of this presentation, a deceptive defense is any defensive mechanism that is intended to frustrate or delay attackers by feeding them false information about a network's structure.  The classic example of such a defense is a honeypot, but recent research has resulted in multiple other defenses, including honeywords and honeyfiles.

We discuss the integration of deceptive defenses with network monitoring by focusing on the problem of file exfiltration—copying files from a network. A potential deceptive defense against exfiltration is to artificially inflate the size of critical files (e.g., proprietary information, password files). Such a defense is most effective when combined with situational awareness—an understanding of how large these files have to be to impose a risk on an attacker.