Many cybersecurity textbooks dictate that we disconnect from the network when a compromised PC is detected. In the case of sophisticated attacks like an APT, however, we can benefit significantly if we can observe how the adversary performed their attack and understand their TTPs and eventually their purposes and intentions. To realize these benefits, the observation needs to be conducted safely and covertly so that the adversary continues the attack.
We propose a new technique that transfers the attack to a safe observation environment without alerting the adversary so that we can keep observing their activity in real time. We propose first to prepare the Deception Network (D-Net) configured identically to the Operational Network (O-Net).
After a compromise is detected, the relevant network packets are modified so that communications between the compromised PC and the O-Net are seamlessly redirected into the D-Net, minimizing any further compromise of operational data and assets. In order to not let the adversary knows that their attack was transferred from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking technology.