Cyber attacks are not single events, they’re processes. When attackers first access a network or endpoint, they don’t know where they are. So they carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations.
We have covered Active Directory and credential breadcrumbs in the previous post 1 & post 2. Now we Look at file and data breadcrumbs and how they can be important elements in your intelligent deception program.
File & Data Breadcrumbs
File based breadcrumbs are some of the simplest and most versatile deception elements available. File and data breadcrumbs can include deception elements such as documents, emails, database entries and links to recent file lists that point to shared folders on the decoy systems. Documents that are created and placed on real machines include information about decoy systems that look interesting to attackers. They can also contain passwords and credentials – such as servers and accounts in the organization - that create tempting targets and reconnaissance for would-be attackers. Since each organization is different, it is ideal when these file and data breadcrumbs appear as real as any other organizational content. Documents, naming conventions, and templates should be customized with the actual logos and usernames from the customer while simultaneously pointing to decoys. Common examples include:
- A text file of some application configuration that contains a username and password
- A technical document common to every organization, such as instructions of how to connect to the corporate VPN
- IT/Corporate documents (txt, doc, xls pdf, etc.)
When an attacker accesses documents, emails or other data contained in these kinds of breadcrumbs, they are directed toward decoys and away from protected systems.
This has the effect of both increasing the attacker’s activity footprint and thwarting them in their attempts to locate sensitive information.
A Word About Emails
Email messages have an important role as breadcrumbs in a deception system. Despite the ease with which emails can be read, they are still used extensively to transmit sensitive data from one person to another. In other words, emails are often high on an attacker’s reconnaissance list because of the sensitive data they all-too-often contain. Furthermore, emails are more often accessed by the attackers themselves rather than automatic malware they have deployed. This affords emails a high degree of credibility (with attackers) and makes them excellent deception breadcrumbs