Security Applications of Non-Attribution and Obfuscation for Enterprise
EDWARD AMOROSO, TAG CYBER
wo strategies have emerged for avoidance of the risks of monitored communications. Each of the strategies (discussed below) has
emerged in the context of complementary attempts by governments to use diplomacy to develop agreements on what can and cannot be monitored. As should be obvious to readers, such negotiations have not been successful at stopping governments and malicious actors from performing traffic and activity monitoring.
In response, government teams and related groups such as defense contractors and security vendors have identified non-attribution and obfuscation as being especially useful to avoid monitoring risks. While these methods have not yet found their way into conventional industrial deployments, they are being implemented in commercial platforms which will offer companies the opportunity to benefit from the control.
In this article, we explain non-attribution and obfuscation, and how they can be implemented in practice to significantly reduce the risks of monitored communications. The goal is to highlight how these methods work, not because practitioners will have to implement them directly, but rather to assist them in the review and selection of new commercial platforms that include these methods as components of their enterprise protection functionality.
3.1 WHAT IS NON-ATTRIBUTION?
The purpose of non-attribution is to ensure that access by users to some resource cannot be determined by network data. This includes assurance that source IP addresses cannot be linked to the originating device. Users such as businesses, government agencies, and even individuals might demand this requirement.
• Accessed Resource – Non-attribution prevents determination of the source device by an accessed
resource (e.g., device with destination IP address).
• Unauthorized Third-Party – Non-attribution prevents external observation by a third-party to either
perform unauthorized traffic analysis or to accomplish a hacking goal.
• Authorized Third-Party – Non-attribution does, however, prevent the determination of sources by
authorized third parties such as law enforcement.
Hackers achieve non-attribution (to avoid being caught) through a technique known as spoofing, where they simply adjust their source IP address to some presumably unsuspecting dupe user. This has the effect of stamping their packets with that dupe’s IP address. Certainly, this provides strong non-attribution, but it also blinds the actual originating hacker to the response data, such as the Synack packets in a TCP/IP connection (see Figure 3.1-1).
Figure 3.1-1. Concept of Non-Attribution via Address Spoofing Using IP
A preferred non-attribution approach would include this spoofing-type property but would also find some means for directing (or redirecting) the response data to the originator. This creates the technical challenge of determining how to hide the actual source while also exposing the actual source sufficiently to ensure that the originator can see the responses from the destination resource.
3.2 WHAT IS OBFUSCATION?
The purpose of obfuscation is to achieve the objective cited above; namely, to hide the details of an origination point, but to also preserve the capability for destination entities to respond to the source. This should also be done using a reliable mechanism versus hacking techniques such as guessing the details of a response (e.g., TCP sequence number prediction, as used by Kevin Mitnick in the 1990s).
Figure 3.2-1. Illustrating the Goal of Non-Attributed Sessions Using IP
What is generally needed to achieve this objective is a scheme whereby the origination address is stored and remembered by some neutral intermediary which then hides this information from a destination point. This could be done by a centralized component, but that creates the possibility of the source data being coerced, leaked, or hacked. Instead, a scheme is required that provides both obfuscation and trust.
3.3 HOW ARE NON-ATTRIBUTION AND OBFUSCATION IMPLEMENTED?
The most common method for both non-attribution and obfuscation on the internet is the technique known as onion routing. Developed in conjunction with the goal to allow for anonymous internet surfing, the method creates a network that sits between a sender and receiver. The sender utilizes the onion network through an entry point, and the receiver notices requests from exit points.
Inside the onion-routed network is a series of intermediary nodes that collectively maintain sufficient information to pass requests from the entry to exit points, but that hide the details of the originator. Once the request leaves the onion network, the recipient only sees the exit point. This provides the type of capability exemplified by the popular Tor browser, which is used around the world for anonymous internet browsing.
The routing scheme in an onion network involves a stepwise unraveling. The source of the request first sends the “onion” to a router, which removes a layer of encryption to determine where it came from and where it should go next. It then sends the onion to the next router, which decrypts another layer to determine the next destination. This process continues until the last layer of encryption is removed the data is sent to the destination.
Figure 3.3-1. Onion Routing Scheme
This type of routing scheme results in an infrastructure-based solution for non-attribution and obfuscation. Specifically, a special network is placed between the client and destination to support the security objectives. Companies such as SecureCo are working to develop this type of capability to support business and government teams hoping to achieve this level of anonymity and security in their business communications.
Commercial development in onion routing, as with SecureCo, is spurred by the fact that while tools such as Tor have useful qualities, they are poor commercial solutions, generally with no QoS targets, an uncomfortable association with criminal activity, and often possessing many known vulnerabilities.
As a final note, it is worth mentioning that additional diverse tactics for obfuscation can be used to complement routing techniques. For example, engineers have long used dummy packets known as chaff which masquerade as encrypted data to defeat typical traffic analysis methods. This helps exemplify the types of engineering and design decisions that can be made to optimize non-attribution and obfuscation goals.
ABOUT TAG CYBER
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth Research as a Service (RaaS), market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner’s perspective.
SecureCo creates the most secure internet connections possible, addressing a critical gap in existing cyber security solutions. Our patented stealth technology protects networks and transmissions from interference and disruption, powering resilient data links, secure applications, and end user privacy. SecureCo offers a next generation replacement or augmentation for legacy VPNs while extending zero trust principles to data transport, cloaking data exchange, services, and assets to reduce network attack surface and targetability. Trusted by some of the most demanding cyber security customers in the world, we deliver high performance, exceptionally secure data transit for military, intelligence, industrial and commercial applications.
IMPORTANT INFORMATION ABOUT THIS DOCUMENT
Contributor: Edward Amoroso
Publisher: TAG Cyber LLC. (“TAG Cyber”), TAG Cyber, LLC, 45 Broadway, Suite 1250, New York, NY 10006.
Inquiries: Please contact Lester Goodman, (firstname.lastname@example.org), if you’d like to discuss this report. We will respond promptly.
Citations: This paper can be cited by accredited press and analysts but must be cited in context, displaying the author’s name, author’s title, and “TAG Cyber”. Non-press and nonanalysts must receive prior written permission from TAG Cyber for any citations.
Disclosures: This paper was commissioned by SecureCo Inc.. TAG Cyber provides research, analysis, and advisory services to many cybersecurity firms mentioned in this paper. No employees at the firm hold any equity positions with any companies cited in this document.
Disclaimer: The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions, and typographical errors.
TAG Cyber disclaims all warranties as to the accuracy, completeness, or adequacy of such information and shall have no liability for errors, omissions, or inadequacies in such information. This document consists of the opinions of TAG Cyber’s analysts and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. TAG Cyber may provide forecasts and forward-looking statements as directional indicators and not as precise predictions of future events. While our forecasts and forward-looking statements represent our current judgment and opinion on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forecasts and forward-looking statements, which reflect our opinions only as of the date of publication for this document. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forecasts and forward-looking statements considering new information or future events.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed or shared without TAG Cyber’s written permission. The material in this report is composed of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy or completeness of this report are disclaimed herein.
Download the Complete eBook for Free!
This is one article of a five part research paper from TAG Cyber on advanced stealth and obfuscation solutions designed to defend commercial networks and internet data communications against the world’s toughest adversaries. The eBook is free with registration.