SKIDDIEs and PROs vs. Advanced Deception

Wednesday, July 18, 2018
Hacker

There are different types of hackers, each with their own characteristics, methods and goals.  We can divide them into white hat & black hat categories, we can group them by their skills or by their goals. There are Pentesters, hackers for hire, hacktivists and espionage groups. Some hackers attack organizations to steal money or data they can sell; some are in it for fame or just to prove that they can; some do it because they want to change the world; and some just get paid for the attack and don’t spare a thought for who the target is and why they are doing it.

In this blog we’ll examine the profiles of two types of hackers: Script Kiddies (SKIDDIEs) and professional hackers (PROs). We’ll focus on how each operate and how they can be caught using traditional security tools and using Deception.

When discussing their methods of operation, we’ll dig into the details by referencing a specific attack that was published (the hacking group attack). We’ll also include details on advanced attacks based on a capture-the-flag based research on Deception (full whitepaper here).

Profile: The SKIDDIEs 

The Wikipedia definition of SKIDDIEs is as follows: “In programming and hacking culture, a script kiddie or skiddie is an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks and deface websites.” 

Script kiddies are not advanced attackers. Despite the potential high damage of their attacks, they are not usually aware of the security tools and defense techniques utilized by the attacked environment. They are eager for quick results so there is almost no intelligence gathered on the target beforehand and as a result, the actual attack is the first step and the final one.

SKIDDIEs are typically not fully aware of the capabilities of the tools they use and mostly rely on ready-made tools and do not have the skills to alter them. They also often lack awareness of the traces that they leave behind.

The SKIDDIEs usually work solo and do not have a specific goal for their attack. All this narrows the potential damage scope of their attacks and increases the noise they make on the network during the attack. Finally, these hackers usually run tools in a ‘noisy’ mode – fetching mass information in a short period of time, without giving a moment’s thought to who can detect them.

USA Network – Mr. Robot, season 1

Profile: The PROs

In the other corner of the ring we have the Professionals hackers. The PROs work on a specific attack as individuals or as an organized group of individuals each with their own specialty.

The attack process of these hackers includes a lot of research before the actual attack. The pre-attack reconnaissance phase is usually the most important one. It is done by collecting preliminary information, constructing attack scenarios, using social engineering, studying the opponent's network topology as much as possible and defining the attack goals. The full attack looks like an extensively panned military operation, executing the actual attack is usually one of the last links in the chain.

The PROs adopt a low-and-slow approach to their attacks and techniques which means they’ll try to fly under the radar for as long as they can. They are also careful not to leave traces behind on the network. In some cases, they also plan ahead their exit strategy and use it if they suspect they are being noticed.

Deception vs. SKIDDIEs and PROs

Deception technology is an emerging category of cyber security defense that is designed to prevent damage from an attacker who has already breached the network.

There are four main types of deception that can be deployed in an organization – Decoys, Breadcrumbs, Network Deception & Active Directory Deception:

  • Decoys are fake assets in your network. These assets act like workstations, servers and various IOT devices.
  • Breadcrumbs are pieces of information placed on the real assets that act as lures to push the attacker to the Decoys. These can be credentials to services, real files, database links, digital wallets and more.
  • Network Deception is the creation of different types of network traffic to make Decoys more authentic and more attractive. This type of deception uses various broadcast messages and publishing protocols as well as the emulation of realistic traffic to corporate servers.
  • Active Directory Deception adds a layer of deception to your AD. This includes adding fake users that are monitored, registering fake computers and SPNs and more.

The main goal of deception is to detect the attacker. The footprint of deception should be almost invisible to the innocent user, but very appealing to the attacker.

The Attack Anatomy

Let’s consider how these two groups would typically interact with hidden deception technology during the lifecycle of an attack.

For the purpose of this discussion, we will base the play-by-play on the Hacking Team breach story. The offensive hacker firm “Hacking Team” was breached during 2015 by the hacker known as FinFisher (definitely a PRO attacker). Hacking Team was known as a hacker-for-hire company that sold services to governments and Fisher publicly revealed 400 GB of internal documents, emails and exploits source code. He claimed his reasons for doing so were ideological and to show that even a corporate hacking monster is not immune to cyber-attack. The story details were published in detail and can be seen as a guide for the wannabe hackers (SKIDDIEs).

Enumeration

Let’s start off and assume the attacker is already inside the organization. At this point reconnaissance will be required in every cycle of lateral movement between computers. Enumeration is used to strategize the next steps.

One of the most popular tools for this is “Responder.py which can be used to enumerate and gather data on the surrounding computers in the network. Responder listens to network broadcast requests in various protocols and can reply to those requests, which forces the victim to reveal the NTLMv2 hashed credentials.

SKIDDIEs will fire up responder in default mode, which can collect many hashes that will need cracking. The cracking procedure is not trivial and requires many resources. Most likely the SKIDDIEs don’t have these resources, leaving them with useless hashes.

PROs are more likely to use Responder in analyze mode (-A flag). This mode only collects information passively on the network. Since it doesn’t attempt to gather hashes, it does not generate any network noise.

Another popular tool is Bloodhound. It is used to enumerate accounts, computers and relationships of the Active Directory environment. It works by querying the LDAP server and other computers in the network in a legitimate way.

SKIDDIEs will use the full capabilities of Bloodhound and collect all the possible information about the active directory tree. When enumerating sessions, they will allow Bloodhound to attempt to log in to all the computers registered on AD.

PROs will first learn the network topology and use Bloodhound only for the accounts & computer enumeration. They will not use the more aggressive Bloodhound features before evaluating the environment and the security tools deployed there.

Detection

Detecting these malicious activities is not straightforward, as they can seem to be legitimate actions from legitimate users. Traditional security tools cannot detect usage of tools like Responder and Bloodhound. An advanced network monitoring solution may be able to detect the more aggressive modes of Responder and Bloodhound, which will help them catch SKIDDIEs.

Deception elements can catch these attackers in the early phases and plant false information that will later lure them to access the decoys in the lateral movement phase.

PROs working in stealth and only collecting data, would have their intelligence poisoned by the deception that is deployed – the Responder data would include broadcasts from the decoys making them look legitimate and the Bloodhound data would point them to interesting looking decoy users and computers. Other network deception techniques that would help here are poisoning the ARP table (see image below from our CTF report on ARP poisoning and Decoy access) and NBNS publishing. The PROs would often validate the various sources of data (AD, DNS, DHCP, etc) and not attempt to access computers before verifying the value they will get from it.

SKIDDIEs would get caught much sooner with network deception tactics when they attempt to poison the broadcast requests of the decoys. Active directory deception will catch the SKIDDIEs when they try to login to the decoy in the relationship enumeration phase of Bloodhound. Of course, the SKIDDIEs will also be affected by the deceptive information.

Network Mapping

The goal during this phase is to map the network assets, their open ports and the services they run. Although there are many network scanners, Nmap is the most popular option and it can also be used to scan for vulnerabilities in the network.

SKIDDIEs will use Nmap to discover computers and search for vulnerabilities. Oftentimes SKIDDIEs do not want to spend time on this step and do not care or do not know how to avoid detection.

PROs will typically use Nmap on the network, even though they have the capabilities to develop stronger tools for the task. Some do this to ensure they do not leave a unique footprint that could lead to their identification. Their scan will be very slow – and they often leave large gaps between actions. They also sometimes hide NMAP signatures to further reduce the risk of alert triggering. The PROs will probably focus the scan on specific assets or ports, unlike the SKIDDIEs who generally scan everything.

Detection

SKIDDIEs will be detected quickly during their network scans as almost any IDS or other network monitoring tools have the capabilities to identify this activity. As part of the scan, decoys would be accessed and a good deception technology would also alert on this behavior.

PRO network scans, whether slow or targeted, or both, would be far more difficult to detect. Decoys however would be able to detect the slow scans when they are accessed. The power of advanced deception comes into play with targeted scans. Following the poisoned data that Deception places, the PROs would be led to investigate decoys which look valuable and would trigger an alarm when doing so.

Summary

Most of the attacks that are led by SKIDDIEs can be detected by traditional security tools like firewall WAF’s, IDS, etc. In order to catch the advanced attackers, the PROs, organizations need to take a different approach. By deploying decoys and planting advanced elements of Deception together such as breadcrumbs, network deception & active directory deception, organizations can help prepare their environment for an attacker of any skill level. 

 

- Yishai Gerstle
Security Researcher

- Guy Gilat
Head of Security Research