Cyber Deception Reactive: TCP Stealth Redirection to On-Demand Honeypots

TL;DR

This paper introduces a stealthy TCP redirection mechanism for cyber deception that effectively diverts attackers to honeypots without detection, enabling threat intelligence collection and protecting real assets.

Contribution

It presents a novel TCP redirection method for cyber deception that is undetectable and on-demand, enhancing attacker diversion and threat data collection.

Findings

Redirection is effective in various scenarios.

Latency times are low enough to be undetectable.

Attackers focus on honeypots, not real assets.

Abstract

Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.