Keywords:  Security Engineering and Design,

2022

Kohana

Sujith Dhati, MICS Student, School of Information, UC Berkeley
Laura Haddad, MICS Student, School of Information, UC Berkeley
Ismail Kably, MICS Student, School of Information, UC Berkeley
Emma Rochon, MICS Student, School of Information, UC Berkeley
Nathaniel Singer, MICS Student, School of Information, UC Berkeley

Challenges: Traditional layers of cybersecurity are an indispensable part of a multi-layered defense-in-depth strategy. These layers are amazingly effective at detecting and blocking known threats. However, we regularly find that adversaries still manage to bypass traditional layers of defense and live off the land undetected long enough to complete their mission. How can we detect the adversary early and reduce the Mean Time to Detect (MTTD)? Is there value to reducing MTTD? When traditional defense layers fail, can we help customers learn about the tactics, techniques, and procedures (TTPs) the adversary is using against them? Can we burn down the ROI on new zero-days? Can our solution ultimately help drive up operational costs for the adversary?

Research: Our capstone research product, Kohana, attempts to address these challenges. Kohana is a distributed deception technology focused on protecting cloud assets through adversary engagement. Our research product helps customers operationalize their MITRE Engage™ based playbooks. MITRE Engage, released in February 2022, will help drive the standardization and wider adoption of Adversary Engagement (AE). Unlike in traditional defense where the adversary only needs to be right once to break-in undetected, with adversary engagement the adversary only needs to be wrong once for us to detect and deny. To draw the adversary away from real assets, we help the customer layout deceptive information, trip wired decoys, pocket-litter among other deceptive artifacts. We set these up along MITRE ATT&CK paths an adversary is likely to take. Tripping just one of our tripwires is sufficient for us to alert the Security Operations Center (SOC) and provide visibility into adversary activities against our decoys.  Kohana can also help gather forensic and log information about adversary TTPs, that may potentially reveal yet unknown zero-days. The data we gather will help enrich threat intelligence about the APTs that are directly and actively targeting our customers. With Kohana, the customer is able to deny success and ultimately drive-up the adversary's operational costs.