University of Central Florida STARS Electronic Theses and Dissertations, 2004-2019 2019 Framework For Modeling Attacker Capabilities with Deception Sharif Hassan University of Central Florida Part of the Computer Sciences Commons Find similar works at: https://stars.library.ucf.edu/etd University of Central Florida Libraries http://library.ucf.edu This Doctoral Dissertation (Open Access) is brought to you for free and open access by STARS. It has been accepted for inclusion in Electronic Theses and Dissertations, 2004-2019 by an authorized administrator of STARS. For more information, please contact [email protected]. STARS Citation Hassan, Sharif, "Framework For Modeling Attacker Capabilities with Deception" (2019). Electronic Theses and Dissertations, 2004-2019. 6293. https://stars.library.ucf.edu/etd/6293 A FRAMEWORK FOR MODELING ATTACKER CAPABILITIES WITH DECEPTION by SHARIF HASSAN B.S. University of Central Florida, 2000 M.S. Florida Institute of Technology, 2008 A dissertation submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy in the Department of Computer Science in the College of Engineering and Computer Science at the University of Central Florida Orlando, Florida Spring Term 2019 Major Professor: Ratan Kumar Guha © 2019 Sharif Hassan ii ABSTRACT In this research we built a custom experimental range using opensource emulated and custom pure honeypots designed to detect or capture attacker activity. The focus is to test the effectiveness of a deception in its ability to evade detection coupled with attacker skill levels. The range consists of three zones accessible via virtual private networking. The first zone houses varying configurations of opensource emulated honeypots, custom built pure honeypots, and real SSH servers. The second zone acts as a point of presence for attackers. The third zone is for administration and monitoring. Using the range, both a control and participant-based experiment were conducted. We conducted control experiments to baseline and empirically explore honeypot detectability amongst other systems through adversarial testing. We executed a series of tests such as network service sweep, enumeration scanning, and finally manual execution. We also selected participants to serve as cyber attackers against the experiment range of varying skills having unique tactics, techniques and procedures in attempting to detect the honeypots. We have concluded the experiments and performed data analysis. We measure the anticipated threat by presenting the Attacker Bias Perception Profile model. Using this model, each participant is ranked based on their overall threat classification and impact. This model is applied to the results of the participants which helps align the threat to likelihood and impact of a honeypot being detected. The results indicate the pure honeypots are significantly difficult to detect. Emulated honeypots are grouped in different categories based on the detection and skills of the attackers. We developed a framework abstracting the deceptive process, the interaction iii with system elements, the use of intelligence, and the relationship with attackers. The framework is illustrated by our experiment case studies and the attacker actions, the effects on the system, and impact to the success. iv I dedicate this dissertation, my research, and all the efforts involved first to my loving wife Kimmy who without her I would not have been able to complete this work. I would also like to dedicate this to my daughters Kinsley and Layla for it was you both who gave me the motivation. Finally, I dedicate this work to Clover for always being by my side. v ACKNOWLEDGMENTS I would first like to express my gratitude to my advisor Dr Ratan Guha for everything you have done. I want to thank my committee for taking their time to support my research. I would like to acknowledge the support and help by each participant in my research experimentation. I want to thank everyone who supported me at Lockheed Martin. I would like to thank my family and friends for their support and dedication. I want to especially thank my wife Kimmy for everything she has done to help and support me. Finally, and certainly not least, I want to thank God for giving me the ability to complete this work. Committee Members: Dr. Ratan K Guha Dr. Mostafa Bassiouni Dr. Mainak Chatterjee Dr. Ronald DeMara vi TABLE OF CONTENTS LIST OF FIGURES ...................................................................................................................... xii LIST OF TABLES ..................................................................................................................... xviii LIST OF ACRONYMS ................................................................................................................ xx CHAPTER ONE: INTRODUCTION ............................................................................................. 1 CHAPTER TWO: BACKGROUND .............................................................................................. 5 Secure Shell Technologies .......................................................................................................... 5 OpenSSH ................................................................................................................................. 6 Dropbear .................................................................................................................................. 6 Defining Attackers Profiles ......................................................................................................... 7 Annoyance Threats .................................................................................................................. 8 Cyber Crime ............................................................................................................................ 9 Cyber Terrorism .................................................................................................................... 10 Hacktivism ............................................................................................................................. 11 Insider Threat ......................................................................................................................... 12 Nation Sponsored .................................................................................................................. 13 Basics on Cyber Intelligence and Indicators ............................................................................. 15 Existing research in Cyber Deception ....................................................................................... 19 Basic Model ........................................................................................................................... 20 vii The Incorporated Model ........................................................................................................ 22 Cyber D&D Model ................................................................................................................ 25 Common Tools and Utilities ..................................................................................................... 26 Nmap ..................................................................................................................................... 27 Metasploit .............................................................................................................................. 27 CHAPTER THREE: DECEPTION AS A SOFTWARE.............................................................. 29 Honeypot Fundamentals ............................................................................................................ 29 Opensource Honeypots Used in This Research ........................................................................ 33 Kippo ..................................................................................................................................... 34 Cowrie ................................................................................................................................... 35 Kojoney2 ............................................................................................................................... 35 Xsweet ................................................................................................................................... 36 SSH Honeypot Detection .......................................................................................................... 36 Past Research on Testing Honeypots ........................................................................................ 40 Red Teaming Experiments with Deceptive Technologies .................................................... 41 Testing Deceptive Honeypots ................................................................................................ 43 Measuring the Effectiveness of Honeypot Counter-Counter deception ................................ 45 CHAPTER FOUR: CUSTOM PURE HONEYPOT AND EXPERIMENT RANGE BUILD .... 47 Custom Pure Honeypot Buildout .............................................................................................. 47 viii Environment Build Overview ................................................................................................... 52 Attacker-NET ........................................................................................................................ 56 Services-NET ........................................................................................................................