Deceiving Adversary Network Scanning Efforts Using Host-Based Deception

In this research we demonstrate the usefulness of manipulating system traffic to deceive an attacker's operating system (OS) fingerprinting as part of their network scanning efforts. Specifically, we address whether host-based OS obfuscation has merit and application as an integral part of Air Force network defense and whether the technique warrants, further research and application development. We accomplish this objective was accomplished through a literature review and a proof of concept evaluation of a selected OS obfuscation tool against selected OS fingerprinting tools under current Air Force network configuration. Our focus areas in the literature review include: how to characterize the scanning phase of an adversary attack, a survey of current OS fingerprinting and obfuscation tools, and description of current AF network concepts. To evaluate effectiveness of a candidate OS tool, we setup an experimental network environment that simulates adversarial network scanning. The results of our study are: a) that current OS obfuscation tools designed for Windows OS are capable of providing some OS obfuscation on AF networks; b) that the current tools need to be evaluated for impacts on network maintenance tools and processes, to include future initiatives like IPv6; and c) that the current tools need to improve OS fingerprints and add options to force inconclusive results from fingerprinting tools.