prattle, v: : to talk for very long about something
that is not important or interesting

The Prattle project generates traffic that misleads an attacker that has penetrated a network: making them doubt what they have learned, or to cause them to make mistakes that increase their likelihood of being detected sooner. To generate this traffic, the Prattle project starts with observations of local traffic, and then generates traffic indistinguishable from existing traffic, but subtly modified to meet the administrator’s goals. This additional information can be used to direct adversaries toward fake workstations or servers, for example, and/or to distract them from real search terms or operational priorities.

The Sad Truth of Compromise and Honesty

One of the unfortunate truths of modern cybersecurity is that, given enough time, an attacker will make their way onto your network. Further, a determined adversary is seldom found immediately after they penetrate a network; in 2015, FireEye Security estimated that the average adversary spent 4½ months on a network before they were detected. During this period, the adversary has an astonishing view into an institution’s operations. They can easily determine the configuration of computers on the local network, determine when people work and what they work on, determine what information users are seeking and when, and likely discover all sorts of authorization information in the form of unencrypted names, dates, HTTP cookies, and more. Based on this learning, they can then use their foothold on the network to attack more and more interesting nodes.

The adversary has this level of access and power not only because they gained a foothold on the network, but because everything they observe from that foothold is good data. If they see an HTTP stream, they can be extremely confident that this was a real HTTP request, caused by a real user or server for a real purpose. From that, they can learn a little bit about the network and the operations running over it.

But what if they could not make that assumption? What if, instead, we introduced doubt? This is the goal of the Prattle project.

Prattle Project Objectives

At the simplest level, the goal is to introduce false signal. Classically, when analyzing data flowing across a network or other transmission medium, we attempt to distinguish signal — the actual data we wish to observe — from noise — the unwanted, background data. In the case of network security, the difficulty we face is that it is very easy for an adversary to distinguish the signal on a network from the noise. All they need to do is tell their observation tools what kind of traffic they want to observe — DNS, HTTP, etc. — and the tool removes all the other background protocols from observation. Further, these search tools can be extended to accept or reject data streams that match regular expressions, making it easy for them to drill down to specific streams or ignore obviously manufactured streams.

Thus, for our purposes, it is insufficient for us to simply add more noise to the network in order to hinder an adversary, because the adversary will simply ignore it. Furthermore, adding lots of noise to the network will obviously stress network infrastructure, and is thus likely to be very unpopular with IT personnel.

We thus refer to the traffic generated by the Prattle project as false signal, in order to stress the difference between it and the more easily distinguished noise. Further, we seek to generate realistic traffic that is intentionally designed to cause the adversary to take some action that is to our advantage. For example, we might use false signal to:

  • Improve the utility of honeypots, IDS, SIEM, DLP or other solutions by pushing adversaries to act in a way that makes them easier to detect.
  • Watermark documents or other data in such a way that the introduced data can tie an adversary to a particular location or time.
  • Obfuscate the details of high-value information such as designs, plans, source code, or financial data by introducing small variations upon real documents transiting the network.
  • Misdirect an adversary from the real interests and efforts of an organization.

Honey data

Key to all of these capabilities is the concept of honey data. Much as a honeypot is a false node designed to look like a real node, honey data is false data designed to look like real data. Depending on the use case, honey data may be usernames for users that do not exist, hostnames for fake services, fake digital certificates, fake hashes or kerberos tickets, or documents (including fake encrypted documents) stamped with detectable watermarks. When the Prattle project executes, it will combine its knowledge of organizational work patterns with its knowledge of the protocols in use, and then seed the traffic it generates with honey data specific to the site. A combination of honey data and other services on the network can create a trap for adversaries on the network that attempt to exfiltrate data from observed traffic and guide them to honeypots or more easily detectable actions.

Approved for Public Release; Distribution Unlimited : 88ABW-2016-6334  & 20161208