Hidden in Plain Sight: File System Protection With Cyber Deception

This article is the first in a three-part series that will provide a technical overview of Decoy File System (DcyFS). This original research was recently showcased in a paper titled “Hidden in Plain Sight: Filesystem View for Data Integrity and Deception,” which appeared at the 15th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) in Paris in June 2018.

Data has become so valuable, it is often considered the oil of the digital age. Cyberattackers — and, increasingly, artificial intelligence (AI)-powered malware bots — gain great advantage in finding new ways to steal, monetize and even destroy confidential data, hurting companies, destroying consumer trust and impeding business operations in ways that could be life-threatening.

The magnitude of attacks and the number of people they affect are also growing. Nearly 3 billion records were leaked in 2017, according to IBM X-Force’s Interactive Security Incidents data. Sensitive information from numerous publicly disclosed incidents has been subsequently discovered when it was offered for sale in dark web markets. Moreover, our teams have witnessed dozens of high-profile ransomware campaigns that crippled the day-to-day operations of essential services providers, including shipping companies and hospitals. The attacks affected organizations across the globe.

One striking commonality shared by data-centric attacks is the adversarial ability to gain privileged access to internal systems, oftentimes abusing user-grade or even administrator-level privileges. Once in, adversaries often manage to gain read and write file system access on sensitive or mission-critical computer systems, and with a foothold in a targeted system, they may be able to gain virtually unlimited visibility on that file system.

Another instance where privilege can become an issue is when legitimately installed software benefits from access privileges concurrent with those of the user running it. This can get problematic when the software is inadvertently a piece of malware or a benign-looking file harboring an exploit that can affect legitimate software (e.g., productivity programs, a web browser, etc.). In such instances, the adversary can gain the user’s inherent privilege level and execute operations reserved only for authorized users.

In face of these challenges, we question whether designated permission-based access control models for file systems are indeed fit to protect data assets in today’s threat landscape. Are there better ways to protect data while pivoting an asymmetrical advantage toward the defender?

We believe that the short answer is yes. In this blog, we describe our research and thinking into what we consider to be a radically new file system approach, dubbed Decoy File Systems (DcyFS), that complements access control schemes and can help overcome many of the fundamental limitations of traditional access control lists (ACLs). We researched this subject to help protect and conceal data from malware and attackers — and fool them with cyber deceptive tactics, designed to protect against attacks and prevent their detrimental results.

The Basics of DcyFS

The concept of DcyFS introduces a new technique to data protection that can help protect data integrity and confidentiality by exposing completely different views of the real host file system, depending on the subject (e.g., user, process) and their security context.

This means that DcyFS can create custom file system views for subjects depending on the trust level by:

  1. Removing sensitive documents;
  2. Dynamically replacing sensitive data with fake files; and
  3. Injecting new decoy files.

Relying on these core tactics, DcyFS can hide high-value assets and expose enticing breadcrumbs to help detect adversarial searches and deliberate data tampering, as well as misdirect and lure malware into interacting with decoy files, causing it to make wrong decisions or expose itself.

Since a DcyFS can intercept every file system access, it’s able to modify the outcomes on the fly and record a full audit trail while preserving consistency for a given subject. That is, all (assumed) changes to the file system made by a subject will be visible to the subject in the future in a way that would expose any irrelevant use events and scenarios.

The image below shows the schematic architecture of DcyFS.

DcyFS Decoy Filesystem

Figure 1: Overview of DcyFS

The file system is comprised of two main components:

  1. A stackable, copy-on-write file system; and
  2. A controller generating subject-specific file system views.

The stackable file system contains a base file system layer and an overlay, and the resulting view is the union of these two layers. All file writes are done on the overlay, protecting the base files from being overwritten. Furthermore, the overlay can hide or replace files in the host file system, or add new files.

Potential Benefits of Using DcyFS

Computer systems equipped with DcyFS can benefit from low-overhead data protection. Our research indicates that these benefits can go far beyond what traditional access control lists (ACLs) or file system permissions (e.g., users, groups) are able to accomplish, as the protections are enforced based on the context of a given subject (subject being a user, a process, etc.).

Let’s explore some of the ways we believe DcyFS can provide an advantage over other popular access controls.

  • Integrity: The write-controls added by the overlay enable DcyFS to protect the integrity of the host file system, since any creation, alteration or removal will be occurring on the overlay as opposed to the host file system. Based on an analysis of the security context (user/subject, process and modifications to the overlay), DcyFS can automatically make a determination as to whether the changes should be persisted to the host file system, left in the overlay or whether the overlay should be reset to revert any changes.
  • Confidentiality: The read-controls provided by the overlay enable DcyFS to decide which files are exposed to a given subject. Hence, based on context and need, DcyFS determines whether a file is shown or hidden from the file system view (deniability) to prevent data theft by obstructing unauthorized users from accessing data.
  • Deception: A specific case of data integrity protection and confidentiality is the DcyFS capability to deceive adversaries by making them believe that:
    • They were able to make changes to the file system while no actual change to the host file system was made (integrity protection);
    • They have access to particular, potentially sensitive files, all while DcyFS replaces the files with decoy files that are devoid of business value (confidentiality protection); and
    • Moreover, DcyFS can project additional files of apparent value — so-called breadcrumbs or lures — to the file system view that will lay a false trail for the adversaries and misdirect them, designed to further expose their trail.
  • Forensics: The overlay gives DcyFS a view of the intended or allowable changes performed by a given subject to the file system. Consequently, when a process has terminated, DcyFS can analyze the change set in the overlay and provide evidence to security teams to characterize the type, impact and intent of the process. The forensics can thus give particular insights into malevolent alterations to the file system, allowing defenders to undo them and learn about the adversary’s modus operandi.

Case Study: Fooling the Erebus Ransomware

To run an experiment on actual malware, our team implemented the DcyFS on a Linux operating system and used crypto-ransomware as the attack scenario. In a detailed paper we published about this experiment, we described how DcyFS can overcome crypto-ransomware attacks — in particular, the Erebus ransomware, which hit the South Korea-based web hosting company Nayana. That attack affected the websites of over 3,400 of Nayana’s clients, deleting original data files on their hard disk after encrypting them under a different name.

An attack of that type could have had a lesser impact with DcyFS in place. After initial infection, the Erebus ransomware works its way through all the files to execute its nefarious activity, encrypting a large variety of files on the affected endpoint. However, with DcyFS, the encryption and deletion of the original files would only be registered on the protective overlay, and the base files therefore remain untouched and are not deleted from the actual host file system. We tested this in our labs to prove that the protective advantage works with live malware.

Since malware of this type simply runs an automated sequence after its infection routine, the Erebus sample we ran in the lab performed the usual routine and proceeded to present its ransom note, as it does when it completes its mission. The ransom demand is a textual message in a file with instructions detailing how to pay the ransom and recover the stolen data.

In a real-life scenario, defenders can detect the malware’s activity and simply scrape the DcyFS’s overlay to restore the original file system view, providing complete recovery from the attack within a very short amount of time and at no additional expense to security operations. It is also worth mentioning that other processes and subjects on the system would not be affected by the modifications Erebus makes to the customized view of the file system created for it. The result is zero disruption to other users, systems and processes in the company.

Having applied deception tactics to subvert an Erebus ransomware attack and protected the rest of the system, DcyFS provides additional insights: a copy of the malware collected upon its installation routine, even if the malware self-destructed and deleted itself from the file system. The sample was captured along with important indicators of compromise (IoCs), such as the ransom message left on the system, which could lead investigators to those operating the criminals’ cryptocurrency wallet in some cases.

DcyFS: Outlook

As part of our team’s ongoing research into DcyFS, we have deployed DcyFS on several test systems at IBM internally for several months. As this research matures, we will continue to explore deployment at a much larger scale in the coming months to gain more experience with protection levels and the scenarios where DcyFS can offer significant advantages to network defenders.

To diversify research into the capabilities of decoy systems, we are further focusing on researching several extensions, including AI-powered data deception, on-the-spot decision-making and automated forensics.

In our next posts, we will detail DcyFS’ architecture and shine a light on how it can be used to perform precise forensics on malware and determine an attacker’s motivations.

Marc Ph. Stoecklin

Principal Research Staff Member and Manager, Cognitive Cybersecurity Intelligence (CCSI)

Marc Ph. Stoecklin is a Principal Research Scientist and Manager of the Cognitive Cybersecurity Intelligence (CCSI)...