MultiRHM: Defeating multi-staged enterprise intrusion attacks through multi-dimensional and multi-parameter host identity anonymization

Abstract

Advanced and persistent multi-staged intrusion attacks are usually conducted by elite well-resourced cyber threat actors with the goal of bypassing the defense-in-depth and zoning policies of enterprise networks and accessing critical internal assets which are embedded deep in the target network (Hutchins et al., 2011; Wilkens et al., 2021). Starting from an externally reachable host, these attacks compromise a chain of network hosts until they reach their targets. Each compromised host could provide attackers access to new systems and network zones, thus enabling them to intrude deeper into the network. While conventional detection-based mechanisms are necessary to defeat such attacks, they are not enough as they can be evaded by stealthy or zero-day attack techniques.To complement these conventional approaches, in our previous works (Jafarian et al., 2015b; 2016; 2014a), we have proposed several proactive defense techniques based on the paradigms of cyber agility and cyber deception to defeat various types of cyber intrusions through disrupting their reconnaissance. While each of these techniques can individually defeat a specific type of reconnaissance, none is individually enough to defeat different types of reconnaissance on which multi-staged intrusions rely.In this paper, we first show that defeating multi-staged intrusion attacks requires a synergistic fusion of a group of coordinated strategies for (1) disrupting both external and internal reconnaissance, (2) defeating both active (e.g., port-scanning) and passive (e.g., sniffing) reconnaissance, as well as (3) disrupting collaborative reconnaissance and information reuse as attackers laterally move inside the internal network. Then, building on our previous approaches, we present a novel proactive technique, called MultiRHM, that anonymizes different identifying attributes of network hosts (IP address, MAC address, domain name responses to rDNS queries, and fingerprints) over different dimensions (time and space) to obfuscate identities of network hosts against all aforementioned types of reconnaissance. We present the necessary architectures, protocols, and algorithms for the deployment of MultiRHM in an enterprise network. Through both theoretical analysis and simulation, we show that MultiRHM is highly effective in defeating multi-staged intrusion attacks.