As we saw in our previous blogpost, creating a knowledge gap for your attackers allows you to divert them and slow them down in their quest for information. At the same time, knowing what attackers desire creates the opportunity for an active, intelligent defense to lure, detect, and defend. This can be done with the help of popular decoys and breadcrumbs/ lures which allow us to engage attackers and capture their attention. The information and results below came from a capture the flag exercise using deception defenses with over 50 white-hat attackers and a dozen malware types challenged to find five pieces of information for increasingly technical challenges.
The knowledge gap concept taught us that attackers quickly reduce their noise level and exposure to evade detection. While the first challenge required 600 commands on average, the fifth challenge only required 14 commands on average as attackers reduced their knowledge gap for the environment and became more effective in achieving their objectives.
The exercise also included deception defenses with a variety of breadcrumbs as lures to decoys, plus traps, and beacons. These breadcrumbs make deception defenses deterministic versus legacy honeypots waiting to be found statistically. Decoys also run services to engage attackers thus consuming their time to slow attacks and diverting them from real assets, resources, and data. For the exercise the following services were made available: TCP, UDP, SMB, HTTP, ICMP, RDP, FTP, MYSQL, SMTP, and SSH.
So what are the most popular breadcrumbs (or traps) and decoys for deception defenses?
For the capture the flag exercise, 10 decoys in a mix of desktops and servers with 95 decoy services were a part of the deception layer embedded in a real network environment. Some decoy services were open ports while others were full-blown services appearing to run real applications for interaction with attackers. The deception layer also comprised of 177 breadcrumbs and traps including: files, beacon/canary traps, email, credentials, applications, IoT devices, and network traps. The chart below shows the consumption of these traps and breadcrumbs.
In the graph above, the number below each trap type indicates the total number within the deception layer – for example there were 27 email breadcrumbs while only two network traps. All traps and breadcrumbs were touched within the exercise with the most popular being files, email, and applications (App) for total touch count. The orange dots represent the percentage of unique traps or breadcrumbs touched in the exercise. For example, 64 percent of the 61 file breadcrumbs had unique touches. On average each attacker interacted with nearly 10 decoy services. Variety is also important as no decoy had more than 47 percent of activity in the exercise.
As a general observation attackers desire access credentials, even more so at administration levels to then move laterally within a network environment. In the exercise two methods surfaced observing interaction with decoys and breadcrumbs. The first method was characterized as sloppy attacks using scanners with pings and SYNs creating non-interactive noise that was fairly easy for decoys to detect. The second method was more sophisticated focusing on specific decoys with high interaction often for hours. The lesson from the second method is that breadcrumb and decoy variety is important with live interactive services on decoys to engage attackers. The more realistic the deception layer, the more value it provides as a detective defense.
For the next blog in this series we will address the differences in human versus malware attacks, or man versus machine.