4 Kinds of Breadcrumbs In Intelligent Deception

Friday, January 26, 2018
4 Kinds of Breadcrumbs In Intelligent Deception

Cyber attacks are processes that compromise, spread and exploit multiple systems across an organization. They’re not single events. When attackers compromise an asset, they don’t know which asset is infected; they must determine where they are in the network, the network structure and where they can find valuable information. That means attackers carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations.

In this blog series we will investigate each of the classes of breadcrumbs and lures used by Intelligent Deception in general and Fidelis Deception in particular. So check back often!

Breadcrumbs are clues for a potential attacker that an intelligent deception platform intentionally leaves behind on organizational systems. These clues create a false trail that lead attackers to decoys and traps that catch them while protecting real assets. However, in order for breadcrumbs to be effective, they must look and feel like real information and credentials to an attacker and create a persuasive false trail back to deception decoys and traps.  

There are 4 kinds of breadcrumbs that can combine to thwart an attacker as they seek evidence of credential and connection that they require to complete their mission of theft and destruction. These are:

  • Credential & Active Directory breadcrumbs
  • File & Data breadcrumbs
  • Network breadcrumbs
  • Application breadcrumbs

Credential & Active Directory Breadcrumbs

As part of their reconnaissance, attackers try to find credentials that will give them access to high value systems in your organization. This presents a key opportunity to create and store fake user credentials and permissions in your Active Directory system. When a decoy associated with a certain faked user appears in the AD as a regular user of the organization, it presents a tempting target for an attacker who is trying to allocate the right account which might be used, for example, to reset a user’s password. The AD Deception model uses faked users in Active Directory. Those users run on the decoys spread throughout the organization and periodically access the AD as would regular users with different permission levels in the organization. This creates the impression of legitimacy and furthers the persuasiveness of the deception. When an attacker accesses a decoy based on the breadcrumbs in AD, a validated decoy alert is automatically triggered and prompting immediate response by the administrator and security operations teams.

While querying AD, attackers will spot the decoy systems that are accessing AD and be lead to the decoys. Meanwhile, sensitive and protected systems remain safe. 

Beyond fake Active Directory credentials and false information, these kinds of breadcrumbs can also include elements like passwords in registry keys for decoy services and SPN (service principal name) entries. If an attacker uses a decoy credential, validated detections are enabled even for Man-In-The-Middle style attacks prompting rapid escalation and response.

In the next post we’ll investigate the other kinds of breadcrumbs used by intelligent deception.

- Doron Kolton
Chief Strategy Officer – Emerging Technologies