An Attack-Driven Incident Response and Defense System (ADIRDS)

TL;DR

This paper introduces ADIRDS, an online attack-driven incident response system that uses graph modeling and realistic honeypots to detect and trap attackers in scenarios with limited log data, demonstrated on a real case.

Contribution

The paper presents a novel incident response system that employs attack technique-based evidence collection and realistic honeypots, addressing challenges in zero-downtime online systems.

Findings

Captured 38 unique attacker IPs in a real case

Realistic honeypots outperform traditional low/high interactive honeypots

Effective in environments with limited log information

Abstract

One of the major goals of incident response is to help an organization or a system owner to quickly identify and halt the attacks to minimize the damages (and financial loss) to the system being attacked. Typical incident responses rely very much on the log information captured by the system during the attacks and if needed, may need to isolate the victim from the network to avoid further destructive attacks. However, there are real cases that there are insufficient log records/information for the incident response team to identify the attacks and their origins while the attacked system cannot be stopped due to service requirements (zero downtime online systems) such as online gaming sites. Typical incident response procedures and industrial standards do not provide an adequate solution to address this scenario. In this paper, being motivated by a real case, we propose a solution, called "Attack-Driven Incident Response and Defense System (ADIRDS)" to tackle this problem. ADIRDS is an online monitoring system to run with the real system. By modeling the real system as a graph, critical nodes/assets of the system are closely monitored. Instead of relying on the original logging system, evidence will be collected from the attack technique perspectives. To migrate the risks, realistic honeypots with very similar business context as the real system are deployed to trap the attackers. We successfully apply this system to a real case. Based on our experiments, we verify that our new approach of designing the realistic honeypots is effective, 38 unique attacker's IP addresses were captured. We also compare the performance of our realistic honey with both low and high interactive honeypots proposed in the literature, the results found that our proposed honeypot can successfully cheat the attackers to attack our honeypot, which verifies that our honeypot is more effective.