Achieving zero false positives with intelligent deception
Cyber attacks are not single events. When attackers compromise an asset, they don’t know which asset is infected. They must determine where they are in the network, the network structure and where they can find valuable information. That means attackers carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations.
Breadcrumbs are clues for a potential attacker that an intelligent deception platform intentionally leaves behind on organizational systems. These clues create a false trail that lead attackers to decoys and traps that catch them while protecting real assets. However, in order for breadcrumbs to be effective, they must look and feel like real information and credentials to an attacker and create a persuasive false trail back to deception decoys and traps.
There are four kinds of breadcrumbs that can combine to thwart an attacker as they seek evidence of credential and connection that they require to complete their mission of theft and destruction. These are:
- Credential and Active Directory breadcrumbs
- File and data breadcrumbs
- Network breadcrumbs
- Application breadcrumbs.
Credential and Active Directory breadcrumbs
As part of their reconnaissance, attackers try to find credentials that will give them access to high value systems in your organization. This presents a key opportunity to create and store fake user credentials and permissions in your Active Directory system.
When a decoy associated with a certain faked user appears in the AD as a regular user of the organization, it presents a tempting target for an attacker who is trying to allocate the right account which might be used, for example, to reset a user’s password. The AD deception model uses faked users in Active Directory. Those users run on the decoys spread throughout the organization and periodically access the AD as would regular users with different permission levels in the organization. This creates the impression of legitimacy and furthers the persuasiveness of the deception. When an attacker accesses a decoy based on the breadcrumbs in AD, a validated decoy alert is automatically triggered and prompting immediate response by the administrator and security operations teams.
While querying AD, attackers will spot the decoy systems that are accessing AD and be lead to the decoys. Meanwhile, sensitive and protected systems remain safe.
Beyond fake Active Directory credentials and false information, these kinds of breadcrumbs can also include elements like passwords in registry keys for decoy services and SPN (service principal name) entries. If an attacker uses a decoy credential, validated detections are enabled even for Man-In-The-Middle style attacks prompting rapid escalation and response.
File and data breadcrumbs
File based breadcrumbs are some of the simplest and most versatile deception elements available. File and data breadcrumbs can include deception elements such as documents, emails, database entries and links to recent file lists that point to shared folders on the decoy systems. Documents that are created and placed on real machines include information about decoy systems that look interesting to attackers.
They can also contain passwords and credentials – such as servers and accounts in the organization – that create tempting targets and reconnaissance for would-be attackers. Since each organization is different, it is ideal when these file and data breadcrumbs appear as real as any other organizational content. Documents, naming conventions, and templates should be customized with the actual logos and usernames from the customer while simultaneously pointing to decoys. Common examples include:
- A text file of some application configuration that contains a username and password
- A technical document common to every organization, such as instructions of how to connect to the corporate VPN
- IT/corporate documents (txt, doc, xls pdf, etc.)
When an attacker accesses documents, emails or other data contained in these kinds of breadcrumbs, they are directed toward decoys and away from protected systems.
This has the effect of both increasing the attacker’s activity footprint and thwarting them in their attempts to locate sensitive information.
A word about emails
Email messages have an important role as breadcrumbs in a deception system. Despite the ease with which emails can be read, they are still used extensively to transmit sensitive data from one person to another. In other words, emails are often high on an attacker’s reconnaissance list because of the sensitive data they all-too-often contain.
Furthermore, emails are more often accessed by the attackers themselves rather than automatic malware they have deployed. This affords emails a high degree of credibility (with attackers) and makes them excellent deception breadcrumbs.
Network breadcrumbs
There are a number of ways the decoys are designed to create network noise to lure attackers. The decoy communicates with assets in the organization. They communicate with the DNS server. They publish themselves using different protocols that are used to inform the environment about their existence – just like as other assets in the organization. This deception behavior is an effective lure for attackers to conduct MITM (man-in-the-middle) attacks. It adds entries to the ARP cache (address resolution protocol) and shows open connections to the decoys.
Attackers investigating the ARP cache for interesting IPs and MAC addresses spot the decoy information and pursue that false trail or intervene with the protocols that lure them to attempt MITM interception but which can actually trigger automated and validated alerts to the security team.
Application breadcrumbs
Application breadcrumbs should ideally be broad and varied. Session application breadcrumbs drop tempting SSH, FTD, RDP credentials for would-be attackers. Web browser breadcrumbs create a trail that leads to decoys through history, cookies, stored passwords and bookmarks. The deceptive illusion comes alive when attackers see expected data.
Conclusion
Deception solutions are a very good source for threat intelligence and detecting infected assets inside the organization. Because they interact with attackers – unlike perimeter or endpoint solutions that attempt to block them – they can monitor attacker activity and track the patterns of its advance.
To attract attackers, decoys are made to resemble the target systems as closely as possible. They have the look and feel of systems that an attacker seeks. Intelligent deception solutions actively lure attackers to the decoys once they have penetrated the perimeter. These lures, or breadcrumbs, exploit the fact that when an attacker initially exploits an asset, they are essentially blind. The attacker cannot tell where in the network he has landed, so he starts looking for other assets that have been accessed from the infected asset.
The attacker looks for tools that the infected asset is currently using, credentials that the exploited system may be using and other systems to which the affected asset is connected. This evidence of credential and connection is a necessity if the attacker is to continue his exploit and successfully navigate to sensitive and protected systems in the organization.
Intelligent deception takes advantage of the attacker’s initial hunt for credential and connection by creating deceptive breadcrumbs that lead to decoys. Breadcrumbs can take many forms. From cookies to registry values, to emails to files, to ARP table values and beyond – all with fake credentials and fake data that attackers find irresistible.
Breadcrumbs should be strategically placed in order to be effective. An intelligent deception solution passively scans network traffic and analyzes the applications being used on each asset, the communication graphs in the organization, the behavior of assets including internet communication habits, and much more. Using all of this data, intelligent deception solution can deliver better and automated detection and response with as fewer false positives.