Abstract The DARPA Information Assurance Program did initial research in the area of dynamic network defense, trying to prove that dynamic network reconfiguration would inhibit an adversary’s ability to gather intelligence, and thus degrade the ability to successfully launch an attack. A technique that enabled dynamic network address translation of the IP address and TCP port number combinations in packet headers was implemented in an experimental network. Two tests were conducted: one to demonstrate that it is possible to disrupt an adversary’s ability to sniff network traffic effectively, and another to show that the ability of intrusion detection tools to detect an adversary can be improved. The tests were successful. 1. Introduction The Defense Advanced Research Projects Agency (DARPA) Information Assurance (IA) Program has been focusing on researching and developing concepts of strategic cyber defense for the past three years. One of the program’s grand hypotheses states the following: Dynamic modification of defensive structure improves system assurance. It is hypothesized that if the components of a network remain unchanged over time, adversaries will have high confidence that the intelligence they gather prior to an attack will remain valid throughout the execution of the attack. On the other hand, if the network has dynamic characteristics, the intelligence gathered by the adversary prior to an attack would be time-limited, thus inhibiting the attack. A technique was developed under the Information Assurance Program to dynamically reassign Internet protocol (IP) address space feeding into a predesignated enclave for the purpose of confusing any would-be adversaries sniffing the network. This technique is called dynamic network address translation (DYNAT). Two experiments were run on the IA program to test this dynamic mechanism. The first experiment explored the effect of the technique on the adversary’s ability to map a network, and the second experiment focused on the technique’s ability to be implemented as an intrusion detection device in addition to a network address translation device. This paper presents an overview of the DYNAT technology along with the results of the two experiments. 2. Background A series of brainstorming sessions were conducted to explore the idea of dynamic defense from a broad perspective. All strategies for dynamic defense can be characterized as configuration and posture changes that are: • conducted continuously as a normal course of action; • conducted as a result of an internal event-based condition; or • conducted as a result of an external event-based condition. During the brainstorming sessions, it was realized that adversaries follow a process. The IA program primarily focuses on the well-resourced, risk-averse sophisticated adversary, such as a nation state, that attacks a network in a stealthy manner to either capture sensitive information or disrupt normal operations. Adversaries in this class do not attack a network for sport or to demonstrate prowess such as amateur hackers do. These professional adversaries have a well-defined attack process with specific goals, time constraints, and budgets. Figure 1 shows the process for a well-resourced adversary, as hypothesized during one of the brainstorming sessions. Other adversaries with different motivations and goals would have different processes and are outside the scope of this experiment. One observation was that the adversary process has internal loops that circled through various planning stages without leading to the goal. The one that looked most fruitful was Live Network Discovery and we speculated that keeping the adversary stuck in that loop would cause them to consume all their resources which would lead them to give up or continue under conditions of very high risk and likelihood of failure. Figure 2 shows an adversary work distribution, which was hypothesized during the initial dynamic defense brainstorming session. As shown, 95% of the adversary’s time is spent preparing for the attack, while only 5% is spent actually executing the attack. These numbers were later validated in several laboratory experiments on the IA program. Our job as defenders is to disrupt the adversaries’ processes so that they do not achieve their goals. One interesting defensive idea we stumbled upon concerns network visualization. As network defenders, we try improve our view of the network and what is happening in it. We work on improving intrusion detection systems that will catch the adversary, visualization tools that allow us to watch the network in real time, and instantaneous alerting systems. An adversary also needs to visualize the network. Wouldn’t Dorene Kewley, Russ Fink, John Lowry, Mike Dean BBN Technologies, A Verizon Company Dynamic Approaches to Thwart Adversary Intelligence Gathering Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEXII’01) 0-7695-1212-7/01 $10.00 © 2001 IEEE