SANS Institute InfoSec Reading Room - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Interested in learning more about cyber security training? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Deception Matters: Slowing Down the Adversary with illusive networks® Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action. Copyright SANS Institute Author Retains Full Rights
Deception Matters: Slowing Down the Adversary with illusive networks® A SANS Product Review Written by Eric Cole, PhD May 2017 Sponsored by illusive networks® ©2017 SANS™ Institute
Introduction Based on the number of system breaches, the frequency of compromises and the amount of damage being caused, it’s clear adversaries have the advantage over organizations today. It is also evident that what organizations are doing to prevent breaches is not working, and that the amount of money being spent on security has little to no impact on slowing down attackers. One reason they have an advantage is they can easily create an accurate map of their targets and use it to traverse through sensitive systems, all while hiding under routine procedures and familiar traffic patterns. In addition, most defensive approaches are passive, meaning they wait for the adversary to make the first move. TAKEAWAY: To go on the offensive, organizations need to use the same stealth and deception their Deception is a game changer. adversaries do. Instead of making it easy to find rich targets, what if attackers were The fundamental benefit of provided a very realistic but false view of reality, starting with an incorrect road map of the network, applications and vulnerabilities? What if there were traps and pitfalls on deception technology is that every network and every system along that road map? This is the heart of deception: it creates an illusion of reality Provide the adversary a false sense of reality and take back the advantage. in which the adversary cannot In this paper, instead of just extolling the benefits and advantages of deception, we differentiate between the two. explore how to put deception into action with a hands-on review of illusive networks’ deception technology. Using simulated scenarios, we detail how deception works in the real world to give defenders the advantage. In testing this product, we knew deception had been deployed and we actively looked for it. Instead, illusive networks’ technology found us (posing as malicious actors) first and monitored our every move. No matter what adversaries do or try to do, they will inadvertently access and trigger an illusive deception and be monitored from the moment they begin their attack. SANS ANALYST PROGRAM 1 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception If you think you have not been attacked in the past year, you are fooling yourself. Attacks are happening, as multiple SANS surveys point out,1 but you just aren’t looking in the right place. This is why organizations can be compromised for two to three years without detection—adversaries are stealthy, targeted, data-focused and programmed to sneak past most of the current security technology deployed today. Deception offers a twofold advantage: • It provides so many additional targets that it greatly slows down adversaries, making it harder for them to compromise critical resources. • It not only gives the defense more time to respond but allows for detailed monitoring of adversaries to see exactly what they are doing, how they are doing it and how to stop them. These two advantages lead to the ultimate goals of security: detecting threats in a timely TAKEAWAY: manner and minimizing the damage. With the threat vectors that exist today, organizations need Anatomy of a Typical Attack to recognize that they are Although attacks come in many variations and styles, the majority of them start through going to be compromised and endpoints—particularly user endpoints—and then spread laterally through systems, looking to exploit richer and richer targets. Attackers also routinely attempt remote be prepared to quickly detect attacks directly against discovered devices such as DNS servers, web servers and other threats and prevent damage. critical systems. They then steal data and credentials from the devices directly and also use them as launch points to spread laterally inside the network. Phishing and email-based social engineering are the top means by which attacks penetrate organizations, according to the SANS 2017 Threat Landscape Survey.2 In the survey, 75 percent of respondents identified their most impactful threats as initially entering through an email attachment, while 46 percent also witnessed attacks that started with users clicking email links. To compromise the user’s system, the adversary must get the user’s password or exploit a vulnerability or exposure, such as a lack of error checking, an outdated service or an application vulnerability. After the system is compromised, the adversary usually performs further lateral movement, targeting other critical assets similarly across the network to map the network and locate the richest targets, such as Microsoft Exchange or database servers. 1 “ Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,” www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047 2 “ Exploits at the Endpoint: SANS 2016 Threat Landscape Survey,” www.sans.org/reading-room/whitepapers/firewalls/exploits-endpoint-2016-threat-landscape-survey-37157 SANS ANALYST PROGRAM 2 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED) Beating Them at Their Game Deception systems anticipate these movements and follow, log and interrupt them by turning real endpoints and servers on the network into deception machines when an attacker, attempting any of the aforementioned actions or others, trips the alarm. Meanwhile, the attacker cannot see the real machine, and all of the attacker’s activity is monitored in real time. For example, the bait might be exposing some connection history, credential data, adjacent systems and services in the data that is on the machine the attacker is on. When attackers try to validate the data or connect using the bait, detection turns on, and more and more deceptions—100 times more machines and accounts than actually present, for example—cause the attackers to waste cycles while never knowing they’ve been had. Whatever adversaries The deployed deception comprehensively and strategically integrated with our review try, they will environment (a virtual host and server architecture), greatly increasing the attack surface for the attacker to fumble around in, as diagramed in Figure 1. unwittingly access a deception—and be monitored from the moment an attack begins. Figure 1. Deceptive Attack Surface from the Attacker’s Perspective At any time, security personnel monitoring the actions can lock out the attacker; some can be handled automatically through policy, while activities are logged and saved for future detection and response. SANS ANALYST PROGRAM 3 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED) The illusive Deceptions Everywhere® Solution Today, deception techniques are quite different than honey pots of the past, in that deceptions are now more widely distributed, much more interactive with the attacker’s actions, and more difficult for attackers to detect. With illusive’s Deceptions Everywhere solution, deception is fully integrated across the entire network at multiple levels, with deception so realistic that it fooled us and is almost impossible to bypass. Intelligent Policy Deceptions Everywhere is an intuitive, easy-to-use management solution that allows deception techniques to be deployed in a scalable manner with minimal overhead. With a few point-and-clicks, we were able to deploy and configure deceptions across the simulated test environment. The solution also learns about and understands the environment, and then autonomously creates and deploys deception techniques that fit TAKEAWAY: within the environment and are adaptive and updatable. While the power of deception It then automatically deploys deceptive policy on each endpoint and server on the has always been recognized, network, leveraging artificial intelligence (AI) to determine if a certain type of deception the problem with wide- is appropriate or not on a per-endpoint basis. scale deployment stems The result is a deception deployment that is customized to every endpoint and server from three main areas: on the network to look even more realistic to the attacker. The environment is then scalability, manageability monitored for any changes, new deception suggestions are automatically generated, and believability. With illusive and with just one click, the new deceptions are applied to the policy. See Figure 2. networks’ solution, these challenges have been solved. Figure 2. User Names Generated for Deception Servers SANS ANALYST PROGRAM 4 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED) Architecture The Deception Management System™ (DMS) is responsible for deploying realistic deceptions across the network that adapt to the current environment, and the illusive Trap Server is the server attackers are sent to once alarms are triggered. Because the solution is agentless, it requires no modification to existing systems or installation of In setting up the software for the trap servers to operate. environment, it When we (acting as our mock attacker) attempted to use and access a server by trying to was obvious that log in and access a share, we were sent to the Trap Server. From there, our mock attacker looked at connection history from the registry by dumping the browser database or Deceptions Everywhere employing search techniques on disk while using commands built into the operating is not a tool but rather system. All this activity, which is not usually detected by other security tools, triggered a solution. In using more deceptions and so on. See Figure 3. the product, it was evident that it is a preconfigured plug- and-play solution. Network discovery is automatic, network analysis is built in, and it all deploys via a single mouse click. Figure 3. Attacker in Action: illusive networks Adapting to the Adversary The general environment we tested was a virtual machine environment that simulated a real-world environment. Also, we ran though several real-world case studies and capture-the-flag exercises to verify and validate the authenticity of illusive networks’ approach to deception. SANS ANALYST PROGRAM 5 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere The two areas that cause the biggest issues for CIOs are agent solutions and in-line devices. The illusive networks agentless solution is not in-line and requires no changes to an existing infrastructure. Key Components of Deception In testing the DMS, we took a four-part approach to deploying deception within our mock environment: 1. Analysis. For deception to be effective, it must be realistic and comprehensive, and cover all key areas of a network. If a deception technique is deployed on only the DMS or open ports that are not being used by the organization, it is not TAKEAWAY: believable and therefore not effective. When we worked with the solution, the If attackers can avoid and product adapted to and understood the environment with minimal interaction. bypass deceptions, such 2. Deployment. Deceptions are non-impactful on legitimate users and network measures offer little value to and system operations, but impactful on the adversary. To slow down the the organization because they adversary (us), illusive forced us to access multiple deception techniques. don’t slow down or catch the 3. Monitoring. From initial compromise to setting up a pivot point to lateral adversary. movement, all malicious activities were automatically monitored so proper action could be taken to control the overall damage. The illusive interface was easy to use and allowed us to quickly see the before-and-after analysis of what was deployed. 4. Adaption. IT environments are always changing and adversaries are constantly learning, so deception must constantly be changing and adapting. As new servers are added to an environment, old servers are removed and the network is redesigned. As we made changes to the environment and deployed new legitimate systems in our review, the solution automatically adapted and changed the deception policy that was deployed. SANS ANALYST PROGRAM 6 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) Policy Management The key to this solution is the policy deployment and management, which began with the DMS deployment, as stated earlier. First, it used artificial intelligence and various machine learning techniques to understand the environment, and automatically deployed deception techniques that mirrored and aligned with our review network infrastructure. See Figure 4. Figure 4. Overview of Deception Techniques Deployed in the Test Environment SANS ANALYST PROGRAM 7 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) Then, it automatically monitored and adjusted the deception techniques for each device and server so we could focus on monitoring and tracking the adversary, as shown in Figure 5, and not on installing and maintaining deception patterns. Figure 5. Deceptions Everywhere’s Adaptive Techniques, Tailored to Our Review Environment The screenshot in Figure 5 shows the deception that was deployed and the activity of the adversary. Machine Learning DMS uses machine learning to engage each server or workstation and learn the unique activities of each system on the network. This information was used to generate deceptive policy reflecting the unique characteristics of the review environment. While the solution allows an organization to tune and adjust, it can also be implemented automatically with minimal administrator oversight. Initially we asked illusive’s interface to make all of the decisions, and it effectively deployed realistic deception measures across our mock environment. SANS ANALYST PROGRAM 8 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) For example, in our review, illusive’s DMS learned the conventions and standards of the virtual business and generated unique system names and usernames (targets for attackers) for use with deceptive services and credentials, as shown in Figure 6. Figure 6. Deceptive Server Names that Were Automatically Created We could choose to be involved in setup and customization as much or as little as we wanted. This indicated advancements in maturity of deception technologies and their uses. The policy was then intelligently deployed and managed across the environments so that every endpoint and server had deceptive data that was unique and indistinguishable from the organic data on each machine (so it could not be guessed or detected). SANS ANALYST PROGRAM 9 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) Attacker View To get a better view of the environment through the eyes of the adversary, illusive networks created Attacker View™. The following gives an overview of the “virtual” environment that is created by the DMS for attackers to fall into (see Figures 7 and 8). Figure 7. Pre-deception Attacker View Figure 8. Post-deception Attacker View SANS ANALYST PROGRAM 10 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) When we switched from our view to the Attacker View, we could see the fake network from an attacker’s perspective, and the relationships between systems and resources the attacker would map to. In security, one of the rules of success is offense must inform the defense. We saw the attack vectors, represented by the blue circles. These represent the various deception techniques from extraneous servers, fake credentials and deception shares. The Attacker View shows the deceptive entities deployed in the environment that the attacker will try to take advantage of. By combining any mix of deceptive connection information with real or deceptive credential data, the attacker (us) is attempting to target real servers, but instead we are covertly sent to the deception that is deployed without our knowing it. Figure 9 shows the fake vectors used to attract our attacker. Figure 9. Attacker View Revealing Attack Vectors Attacker View allowed us to understand the real attack vectors by focusing on the risks that actually matter to our environment. SANS ANALYST PROGRAM 11 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED) In Figure 10, Attacker View showed us the threat intelligence to make the right decisions around our attacker’s changing tactics. Figure 10. Attacker View Displaying Deceptions While Tracking an Attack The illusive solution Attacker View also allowed us to make on-the-fly changes to the environment and see acted automatically, the impact it had on the adversary in real time. adapting with artificial User View intelligence to changes In User View, we also explored how Administrative, Domain and Local User credentials we added to the naturally interact with the real environment. This impact analysis enabled us, acting as environment. administrators rather than as attackers, to understand where concentrations of activity take place and how credentials are used in order to determine how deceptive and traditional security controls can be applied to the organization. See Figure 11. Figure 11. User View Showing Administrator Privilege Abuse SANS ANALYST PROGRAM 12 Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios We started with Deceptions Everywhere turned off for our initial testing, and began exploiting the review environment and moving laterally across systems without being stopped. Within a short period, we were able to compromise several systems; had it been a real attack, we could have caused damage—for example, captured additional administrative credentials, accessed critical systems or exfiltrated sensitive data. We then performed similar exploitations and movements with illusive turned on and were easily detected by the system. As the attackers, however, we were unable to detect illusive—we became completely lost in the deceptive data without being able to differentiate between what was real and what was deceptive. Deceptions Reviewed While there are many variations, the three main deception methods utilized for this review were: • Share deceptions. Attackers look for shares as an easy way into a system and sensitive information. Additional legitimate-looking shares were created by illusive to slow down our adversary (us), but also provided valuable insight into what the adversary was doing and attack methods. • Credential deceptions. In this part of the review, we launched an elevation-of- privileges attack, to elevate access from a normal user to a privileged account such as root or admin. When attempting to do this in deceptive accounts, we felt frustration from the perspective of the attacker because it kept sending us down rabbit holes to research further. For the deception administrator it provided an early warning system to show what the adversary (us) was doing. • File deceptions. We wanted to access critical data, which is in files. With deception deployed, this became almost an impossible task because it was difficult to distinguish between legitimate data and fake data, leading us to spend significant time harvesting fake information of little to no value. SANS ANALYST PROGRAM 13 Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios (CONTINUED) Lost in the Deception With deceptions now deployed, it was time to repeat our exploitation of the environment using the fundamental steps to gain access. Along the way, we were met with various deceptions, as described in Table 1: Table 1. Malicious Actions and Deceptions Malicious Actions Taken Deceptions Deployed Reconnaissance All deceptions Scanning Share deceptions Exploitation • Pivot points Credential deceptions • Internal reconnaissance Share deceptions • Internal scanning File deceptions • Data exploitation File deceptions Creating back doors All deceptions Covering our tracks All deceptions Being a little skeptical, we were overly confident launching our attacks in the new environment. Convinced we had identified a path to bypass the deception, we spent time continuing our attack on what we thought were the legitimate systems. However, when we switched and checked the Attacker View, we were embarrassed: Not only was our analysis wrong, but we were caught red-handed by the illusive system. See Figures 12 and 13 to view illusive detecting our port scanning activities. SANS ANALYST PROGRAM 14 Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios (CONTINUED) Even though we knew the system was deployed and Figure 12. Illusive User View Detecting Our Port Scan knew how the system worked, this advantage proved no match for illusive networks. Figure 13. Illusive Forensic Analysis of Port Scan Attempt SANS ANALYST PROGRAM 15 Deception Matters: Slowing Down the Adversary with illusive networks®
Attack Scenarios (CONTINUED) Tracking and Metrics A common shortcoming of many security solutions is that they promise great things but lack a way to track overall effectiveness. A valuable component of illusive’s solution is provision of a variety of metrics to track the benefit of the deployed deceptive measures. Taking deception to the See Figure 14. next level of maturity, metrics enable large- scale management of deception measures. The metrics revealed weaknesses and needed improvements, and informed us where to tune the deception measures to maximize the benefit of the illusive solution. Figure 14. Overall Dashboard Showing the Metrics for the Deception The illusive DMS platform revealed that our ability to detect an advanced attacker improved over time during our review. Attack surface information from the perspective of the adversary—such as number of lateral movement targets per endpoint or number of lateral movements to reach domain admin credential—was also provided. SANS ANALYST PROGRAM 16 Deception Matters: Slowing Down the Adversary with illusive networks®
Conclusion: Future of Deception With many persistent, targeted attacks, prevention is in many cases postponing the inevitable, because the adversary will eventually get in. Therefore, security is going to be all about timely detection and damage control. Setting up a virtual world of confusion clearly slows down attackers and makes their job more difficult, but it is often forgotten that deceptions serve no legitimate purpose, meaning no one should be connecting to these deceptions. If that occurs, the TAKEAWAY: probability of an adversary touching at least one of the deceptive measures is very high, While deception was originally which allows for early detection capability. about slowing down the The illusive solution provides a comprehensive way to deploy deception across an adversary, in the future it will environment with minimal to no human interaction. The deception is highly effective move toward functioning as and covert, making it virtually undetectable when deployed within an existing an early detection tool. environment. Even the most skilled adversary would access a deception technique, allowing for early detection of an attack. Expect deception technology to gain wider use and become more tailored to and focused on an organization’s critical assets. If the databases’ servers, the applications themselves and even the tables in the databases all have deception, it raises the difficulty of attacks to a whole new level of complexity. SANS ANALYST PROGRAM 17 Deception Matters: Slowing Down the Adversary with illusive networks®
About the Author Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on several executive advisory boards and is a member of the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency. Eric’s books include Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible and Insider Threat. As founder of Secure Anchor Consulting, Eric puts his 20-plus years of hands-on security experience to work helping customers build dynamic defenses against advanced threats. Sponsor SANS would like to thank this paper’s sponsor: SANS ANALYST PROGRAM 18 Deception Matters: Slowing Down the Adversary with illusive networks®
Last Updated: October 15th, 2018 Upcoming SANS Training Click here to view a list of all SANS Courses SANS Houston 2018 Houston, TXUS Oct 29, 2018 - Nov 03, 2018 Live Event SANS Gulf Region 2018 Dubai, AE Nov 03, 2018 - Nov 15, 2018 Live Event SANS Sydney 2018 Sydney, AU Nov 05, 2018 - Nov 17, 2018 Live Event SANS DFIRCON Miami 2018 Miami, FLUS Nov 05, 2018 - Nov 10, 2018 Live Event SANS London November 2018 London, GB Nov 05, 2018 - Nov 10, 2018 Live Event SANS Dallas Fall 2018 Dallas, TXUS Nov 05, 2018 - Nov 10, 2018 Live Event Pen Test HackFest Summit & Training 2018 Bethesda, MDUS Nov 12, 2018 - Nov 19, 2018 Live Event SANS Mumbai 2018 Mumbai, IN Nov 12, 2018 - Nov 17, 2018 Live Event SANS Rome 2018 Rome, IT Nov 12, 2018 - Nov 17, 2018 Live Event SANS Osaka 2018 Osaka, JP Nov 12, 2018 - Nov 17, 2018 Live Event SANS San Diego Fall 2018 San Diego, CAUS Nov 12, 2018 - Nov 17, 2018 Live Event SANS November Singapore 2018 Singapore, SG Nov 19, 2018 - Nov 24, 2018 Live Event SANS ICS410 Perth 2018 Perth, AU Nov 19, 2018 - Nov 23, 2018 Live Event SANS Paris November 2018 Paris, FR Nov 19, 2018 - Nov 24, 2018 Live Event SANS Stockholm 2018 Stockholm, SE Nov 26, 2018 - Dec 01, 2018 Live Event SANS Austin 2018 Austin, TXUS Nov 26, 2018 - Dec 01, 2018 Live Event SANS San Francisco Fall 2018 San Francisco, CAUS Nov 26, 2018 - Dec 01, 2018 Live Event European Security Awareness Summit 2018 London, GB Nov 26, 2018 - Nov 29, 2018 Live Event SANS Khobar 2018 Khobar, SA Dec 01, 2018 - Dec 06, 2018 Live Event SANS Dublin 2018 Dublin, IE Dec 03, 2018 - Dec 08, 2018 Live Event SANS Santa Monica 2018 Santa Monica, CAUS Dec 03, 2018 - Dec 08, 2018 Live Event SANS Nashville 2018 Nashville, TNUS Dec 03, 2018 - Dec 08, 2018 Live Event Tactical Detection & Data Analytics Summit & Training 2018 Scottsdale, AZUS Dec 04, 2018 - Dec 11, 2018 Live Event SANS Frankfurt 2018 Frankfurt, DE Dec 10, 2018 - Dec 15, 2018 Live Event SANS Cyber Defense Initiative 2018 Washington, DCUS Dec 11, 2018 - Dec 18, 2018 Live Event SANS Bangalore January 2019 Bangalore, IN Jan 07, 2019 - Jan 19, 2019 Live Event SANS Sonoma 2019 Santa Rosa, CAUS Jan 14, 2019 - Jan 19, 2019 Live Event SANS Amsterdam January 2019 Amsterdam, NL Jan 14, 2019 - Jan 19, 2019 Live Event SANS Threat Hunting London 2019 London, GB Jan 14, 2019 - Jan 19, 2019 Live Event Secure DevOps Summit & Training 2018 OnlineCOUS Oct 22, 2018 - Oct 29, 2018 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
You can also read