Enabling defensive deception in distributed system environments

While attackers have used deception to hide their identities, cause surprise, or mislead victims, defensive use of deception has been limited to honeypots and moving target defenses (MTDs). This has left unexplored a powerful defensive strategy namely, active manipulation of the adversary's decision loop. In contrast to the passive approach of honeypots and MTDs, this active approach deliberately interacts with the adversary to cause him to think he is succeeding and expend effort in an alternate reality. The work described in this paper took initial steps to realize active defensive deception in the context of distributed systems and built a prototype that creates an alternate reality in which to trap, learn about, and manipulate adversarial actors without affecting normal and legitimate operations. This prototype, called KAGE, employs Software Defined Networking (SDN), and virtualization to create a malleable substrate in which deception can occur. Deception is necessarily context dependent. In the case of KAGE, deception is tied to the mission purpose served by the distributed system being defended, specifically the services running, and the configuration, scale, and complexity of the environment. Consequently, there is no single deception strategy that will fit all system and mission contexts. KAGE therefore presents a framework through which a wide array of deceptions can be composed from component building blocks. This work-in-progress paper introduces the concept of active defensive cyber deception, discusses the early stage KAGE prototype, and introduces some of the challenges intrinsic to enabling defensive deception in distributed environments.