Recently, my team conducted an in-depth investigation of how our deception technology would stand up to formidable targeted attacks and what lessons we could learn so as to strengthen our technology’s responsiveness and ability to frustrate attacks. Wanting to be put to the test by very significant and innovative threats, we invited elite hackers and security experts to use their best knowledge, experience and skills to try to defeat our deception layer in a simulated enterprise network. More than 50 of them answered the challenge.
Rules of the Game
We gave our gang of renowned attackers access to a machine in a simulated enterprise network using a remote access tool (RAT). We challenged them to locate and extract at least five pieces of data hidden somewhere, anywhere, within the network.
How clever these people are! Through this exercise, we were able to witness a very wide variety of methods by some of the greatest hackers in the world. We were astounded at the ingenuity and cunning of many of the network intrusions and attempts to access our information assets. We were also quite proud about how our deception technology coped with such challenging encounters.
In this blog, I would like to concentrate on one particular attack that certainly tested our mettle.
Deception-based security – terminology
Decoys (also referred to as “next generation honeypots”) are fake assets that resemble workstations, servers, services, laptops, routers, switches, mobile devices or other computer components. Because decoys appear to be legitimate assets, attackers probe them looking for valuable information. An attempt to access a decoy can be easily identified and monitored unbeknownst to the attacker.
Traps are fake resources resembling an items of information that point to or facilitate access to another asset within or even outside of the network. Traps can be in the form of email messages containing URL and login information, registry entries containing pointers to data folders, or almost any other type of data. Like the components they resemble, traps point to assets, but not to real assets but to decoys.
The email trap lures an attack
Now, let’s look at one attempt to defeat our deception defenses.
One attacker took measure of the machine he landed on and “stumbled” upon one of our file traps – an email trap that we planted for attackers to find. The message contained an IP address to an RDP service, complete with an access password.
Upon discovering the trap and mistaking it for a genuine email, the attacker proudly employed this treasure trove of information to access the service. Little did he know that this was a well-disguised decoy!
Right away, the access of our decoy triggered a detection alert and summoned our system to stealthily monitor the attacker just as he made his first probe outside of the host workstation.
Continuing his advance across the network and still believing he was interacting with real assets, the attacker discovered another asset – but this was, in reality, our Filezilla FTP configuration trap. Here we planted three additional IP addresses along with the credentials to access them. The attacker thought he had struck gold and logged onto two of the addresses using the credentials he picked up in the trap. Interestingly, even though he had one password for each FTP service, he still tried some of the other passwords on the same service. This proved to be a recurring phenomenon and revealing of hacker methodology. In fact, during our postmortem, we noticed that attackers who found passwords attempted to use them over and over. In one case, a single password was used 11 times in 11 different locations!
Lastly, our attacker succeeded in uncovering another RDP in a .RDP file – another decoy that had been left “lying around”. He also found the HTTP Service of 50.4 from another email.
In total, our very clever attacker entered into a high-level interaction with four decoy IPs. He accessed them using a range of services that included RDP, FTP, HTTP, where he logged in. He then happily roamed around and downloaded files thinking that he was winning the challenge. In fact, he was dealing with decoys that proved quite attractive and busied him for hours.
Setting His Own trap
Now we come to one of the most interesting findings: how attackers find themselves entangled in the deception layer to a point in which they themselves are unknowingly creating their own traps.
As we’ve seen in the sections above, the attacker interacted with ten decoys. However, only five of those decoys had traps leading to them. How did the attacker find the other decoys – and what caused him to interact with them so intensively?
Upon subsequent analysis, we saw that the decoys that this attacker had triggered during his engagement provided clues as to how and why he accessed some of the services.
Remembering the RDPs he had encountered on two machines, he tried them on a third one. He quickly figured out that the machine was running MS Windows so he accessed them using SMB, which was never mentioned in the original traps we laid, and roamed there quite a bit, excitedly downloading files.
How did this happen? The decoys and traps we laid gave the attacker enough information to discover other decoys. It allowed him to get a picture of a fully functioning workstation with interesting services to explore and data that looks valuable. The attacker started to ‘fill in the gaps’ of missing information by himself, making assumptions based on the false information he already acquired to look for services and for ways to access the data.
We call this phenomenon “widening the information gap”, which is our way of essentially increasing the difference between reality and what the attacker thinks he or she “knows” is “real”. Deception mechanisms, such as the one we used, serve to widen the information gap and throw attackers off course. You can read more about it in our research paper “Applying Deception Mechanisms for Detecting Sophisticated Cyber Attacks”.
The attacker spent over four hours of his valuable hacking time chasing our traps to no avail. Instead of pursuing actual information for possible exfiltration, he wasted all of his time on decoys. All the while, he was triggering alerts from the decoys enabling us to watch him and later trace all of his activities. This attacker failed in his attempt to extract real assets. The deception layer thwarted the attack.
* * *
Deception-based security – terminology
|Assets||Resources in the network such as workstations, servers, laptops, routers, switches, mobile devices|
|Decoy||A fake asset resembling a workstation, server, service, laptop, router, switch, mobile device or other computer component. Because decoys appear to be legitimate assets, attackers probe around the decoy looking for valuable information and this is activity that can be easily identified by the defender. Decoys are sometimes referred to as Next-Generation Honeypots.|
|Detection||The act of identifying an attacker or malware program that has infected an asset or resource.|
|Honeypot||A computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.|
|Infection||The act of an attacker gaining a foothold on a computer in the network. Once one asset is infected, it provides a platform for the attacker to infect another|
|Knowledge gap||The difference between the true picture of the network and the picture currently perceived by the attacker|
|Mini-trap||Another term for trap (see below). Does not mean a small trap|
|Trap||A fake resource resembling an item of information that points to or facilitates access to another location on an asset, on the network or even outside of the network. Examples: email message containing URL and login information, registry entries containing pointers to data folders. Like the components they resemble, traps point to assets, the difference being that they point to decoys which are fake assets. Also termed mini-trap.|
Omer Zohar is TopSpin Security’s Head of Research