CyberChaff™: Confounding and Detecting Adversaries

In the armed forces, chaff is a cloud of material spread behind a target, designed to confuse either detection or attack. With the DARPA-funded CyberChaff™ project, we use this same basic concept to address cyber-attack.

The average data breach goes undetected by information owners for 229 days, and 67% of the time, information owners find out about the breach only when informed by an outside source. With CyberChaff™, Galois has developed a technology that provides a highly reliable early alert system that interferes with a critical phase of an attack plan: the pivot. The pivot is the point at which an external or internal adversary transitions from their original beachhead on a network to another computer – one that is better position on the network, has improved privileges on the network, or is running a critical service.

CyberChaff™ interferes with this step by introducing hundreds (or thousands) of fake, lightweight nodes on the network that, upon initial scan, are indistinguishable from potential target nodes. Thus, when the adversary attempts to pivot to their next target, they run a high risk of attacking a CyberChaff™ node rather than a real one. This not only slows down their attack, but also triggers an alert to any available network administrators that an attack is in process.

When scanning a network, an adversary uses a tool like nmap to answer two questions: What operating system is this host running, and what services are running on it? The first question is important because the attacker can tune their attack to the exact operating system running. On the other hand, the list of services running on a host provide both an inventory of possible applications to attack as well as a hint about what data might be stored on the computer. CyberChaff™ provides emulation services at both levels: it can pretend to be any operating system and pretend to run any service the administrator wishes.

CyberChaff™ is implemented as a lightweight virtual machine, providing us two major means of distribution: distribution in the form of a network appliance that can be physically installed on a network, or distribution in the form of a virtual appliance that can be replicated across an existing VM-based installation. In either case, the CyberChaff™ virtual machines can be easily integrated into a larger virtual machine management solution (such as OpenStack, CloudStack, etc.) should that be desirable. Because these solutions are lightweight, they can also be deployed in many locations throughout the network, in order to match the network segments and VLANs that exist in the network.

Galois’ novel architecture for CyberChaff™ addresses (and supplements) weaknesses in current cyber security technologies by:

  • Hiding network infrastructures making them more difficult to attack. Unlike honeypots, CyberChaff™ provides a giant attack surface, but does not require organizations to implement vulnerable systems on the network
  • Instrumenting network infrastructures with a vast array of sensors, yet limiting false positives since no legitimate traffic should be received by CyberChaff™

CyberChaff™ uses industry standard protocols for management, reporting and alerting, and can be integrated into existing network management, IDS/IPS and SIEM solutions, or can be operated standalone. Additionally, CyberChaff™ may be deployed in a hardware appliance, as a VM, or as a managed service – enhancing the security posture of any organization with critical network infrastructure and data protection requirements.