Modern Cyber Defense — Part 4 — Active Defense and Cyber Deception
Before you start here, it will be a good idea to read the first three parts because I tend to build up upon the content. However, it is not mandatory and I will be happy even if you read this one and hopefully, take something back with you.
I wrote a little about this in Part 3 of this Article series. However, this topic deserves its own detailed article.
Cyber Defense is a technological challenge, but more than that, it is a psychological challenge. It’s about motivations. What motivates an attacker to target you? What motivates you to defend yourself? There are many possible answers and in those answers, lie the right solution when deciding where to invest your limited funds so as to extract the maximum returns on those investment. For example, you would perhaps deploy some standard tools with default settings if the only threat was routine automated scanners or spammers. But the same will not suffice if the threat is from targeted attacks. You will need some advanced cyber defense capabilities to defend against targeted attacks.
Guess what? The same applies to the attackers. They want to be lazy. Unless you are strictly in their crosshair, they are looking to make an easy buck through easy exploitation and post exploitation. They do not want to duel with mature cyber organizations. They would rather have a quick win than a difficult one. And that’s their weakness that we can take advantage of.
So, think about it. Do you have to be the most secure organization in the world (and spend top dollars to achieve it)? Or you have to have just sufficient controls that make the job of the attackers difficult enough for them to look for other easier targets. Okay, so now the challenge is to define the “sufficient”. How much is “sufficient” for your organization?
By now, most organizations have (hopefully) deployed enough technologies and solutions to be able to defend against routine standard non-personalized attacks. These would include tools and techniques such as AV/EPP, perimeter devices such as firewall, IPS/ IDS, Proxy etc., WAF, OS hardening, minimum baseline configuration, email security etc. This approach would defend against many standard routine attacks and should provide sufficient resiliency against these.
However, as discussed in Part 3, attackers are changing the game. Even routine attacks have some degree of customization on a per target basis, enough to bypass signature based detections. These attacks also will succeed against IoC based cyber threat intelligence implementations.
So what more can we do beyond the standard tools and techniques listed above?
First things first. Almost all the tools deployed in modern enterprises are extremely capable with multitude of features. However, they typically tend to be extremely underutilized. We typically utilize only the most basic of those features. Also, the configurations provide enough flexibility. But we do not usually get into advanced configurations. We can start by exploring existing tools and techniques and discovering their capabilities against advanced attacks. Thereafter, we can implement these configurations and capabilities as per our business risk.
Secondly, whilst filling the discovered gaps in your defensive network architecture, look to leverage extensibility features of existing solutions. Many a times we invest in completely new product or technology to solve a problem. The new tool provides many features, many of which are duplicated in existing products. That’s not optimal investment. We should first explore how the identified risk can be solved using existing solutions, even if it requires some additional licensing or additional modules. This will reduce both Capex and Opex.
Finally, coming to the main point of this article; identify and implement strategic solutions that can frustrate attackers enough for them to go search for some other potential target. These can be cyber deception technologies. Some of these like honeypots have been widely used for long as a passive tool within limited research organizations or AV vendors or large enterprises. These are also good source for detection and response as well as in detecting attacker behavior and their TTPs (tactics, techniques and procedures). But cyber deception, as a technology has not seen widespread use. There are some, including the highly respected Brian Krebs (see below), who consider cyber deception technologies only for those who are already at their most mature.
That 99% thing? That’s not happening anytime soon. Does that mean cyber deception is a bad idea? Not at all. Krebs may have a point here, but like everything else, reality is not binary, black or white; do or don’t; one or zero. No, reality is always grey. There are always things that can be done to improve the cyber defense posture.
Some of these are extremely simple. Consider canary tokens. These are unique identifiers that can be embedded in different places in your environment. If they are touched, an alert is triggered which provides extremely targeted and specific intelligence about YOUR attacker who is operating as of this very moment. Consider this example using the freely available tool at https://canarytokens.org/generate;
- Generate any token of your choice which can range from web bug, email address, DNS token, word or PDF document, binaries, QR codes, AWS keys and many more. Check them out.
- In this example, I created an AWS token to reflect the recent surge of AWS key scraping attacks wherein attackers look for exposed AWS tokens in code repositories or elsewhere. What’s better! This does not have to be an actual bucket.
- Paste this token somewhere where potential attackers will trip such as code repository or in a document somewhere. When an attacker trips, an alert is generated.
- I simulated an attacker by using a random online AWS S3 Bucket browser (https://www.filestash.app/aws-s3-explorer.html) and supplied the key id and secret from the token. The browser told me this was a non existent bucket. That’s what an attacker will see and will possibly wonder why does a key exist without a bucket.
- Which triggered the token and sent an alert to the provided email address.
- Now consider this. When this token gets triggered, it tells you that someone who has no business looking for your AWS buckets, has been snooping around. The reason is that this bucket does not exist and these are not valid credentials. So legitimate users have no use for these credentials. That alert provides absolute assurance that YOU are the target and the attacker IP is revealed, which can be further contextualized. Compare this with some random threat intelligence feed which will provide a list of IP addresses. You can read more about that in my Part 3 article.
- Now imagine, placing many of these tripwires such as a word document titled passwords or admin_creds on critical servers within obscure directories. When they get triggered, you have probably caught a pen tester or a potential attacker.
Or, consider this yet another example. Phishing has become a great threat for enterprises and the favored initial access method for attackers. Typical phishing campaigns start with cloning a legitimate website, weaponizing it and using it to fool unsuspecting users. A cloned website token fires an alert moment someone visits that cloned website, giving you advanced knowledge of potential attack before the attacker launches the attack. You could possibly take defensive actions against the potential attacker before the attack.
Or, imagine this. You create some fake users in your Active Directory. Not fake really but these have no legitimate use. Name them something enticing such as ***admin or any other admin naming convention for your environment. To entice even hardened criminals, add these users to the Domain Admin group but ensure their ‘Logon Hours’ are set to never. You do not want anyone ever logging in with these accounts. Then create a SIEM alert for any failed login for these accounts. Also monitor any change to the account to look for sabotage attempts. When attackers try many of the credential attacks like TA0006 (https://attack.mitre.org/tactics/TA0006/), they trip on it and get caught. Some additional techniques can also be implemented using CredDefense Toolkit, available at https://github.com/CredDefense/CredDefense. I highly recommend looking at that.
Let us take that concept a little further. The techniques discussed so far were passive and relied on detecting attacker actions. What if we could actively engage with the attacker and annoy or deceive them? I like how John Strand explains this in the slide below. The Blue circles are classic cyber kill chain and the red arrows are actions we can take at various stages in the kill chain to disrupt the attacker. Remember, modern cyber defense suggests that we still win if we can prevent the attacker from achieving the final objective.
Annoyance
The goal of annoyance is to slow down the attacker and increase their work effort in realizing their objectives.
Consider honeyports (https://github.com/gchetrick/honeyports). Create a non-legitimate listening port on an external facing legitimate non-important server that are favorite for remote attacks; say telnet or ssh or anything else. We do not have to have these services installed. Just a fake service that listens on that port using tools like honeyports. When an attacker runs recon scan against this server, observes this open port and tries to communicate, automatically block that IP at your perimeter so that all further actions are blocked. Why can we automatically block it with so much confidence? Because this is a potential malicious action targeted against YOUR enterprise as of this moment. Threat intelligence does not get better than this. Remember, most pentesters and malicious attackers would typically start with reconnaissance scans and that is when we block them; before they can cause real damage. Some of the modern commercial firewalls have some of the deception capabilities. Keep this in mind while purchasing your next firewall or check if your NGFW already has this capability and configure it.
Let us take this further. Instead of simply frustrating the attacker by blocking their IP address, which they can possibly identify after a few frustrating hours and change their tactics, let us interact with them and feed them white noise. Confuse them. Mix fake data with real data so that they no longer know what to attack.
A tool that does that beautifully is PortSpoof. The Portspoof program primary goal is to enhance your systems security through a set of new camouflage techniques. As a result of applying them your attackers’ port scan result will become entirely mangled and to very significant extent meaningless. Imagine scanning a system and every port responds that it is up and running some service. All scanning tools will try to enumerate those services by running additional checks and that takes time. Do this over 65536 ports and suddenly scanning one server takes days instead of seconds.
Imagine the frustration of the attacker who just setup a 1000 server automated scan, expecting it to finish in a few hours, and then having to wait forever for it to finish. You do not have to run PortSpoof on any production system. It can just be a dedicated non production system within the IP subnet of the production systems. There are videos in the link above that demonstrate the awesome power of this tool.
This can go on and on. There are so many tools out there that can be innovatively used in an enterprise to really frustrate pen testers and potential malicious attackers. And sorry Brian Krebs, but this does not have to wait until achieving 99% maturity.
BHIS have a great distribution called Active Defense Harbinger Distribution (ADHD), a great collection of active defense tools neatly categorized as credentials, annoyance, attribution and attack. Be extremely careful on the legal aspects of using these tools, especially in the attribution and attack categories. It is never a good idea to attack back, unless you are backed by a nation state and have full legal authority to do so. More information is available at https://adhdproject.github.io/#!index.md.
As usual, the tools mentioned in this article are freely available and can be used for testing these concepts in your network. If you need more features or support, there are many commercial tools offering similar capabilities. As always, the real deal is in implementing them properly rather than just buying the right tool.
This article has already turned out longer than I expected. However, in conclusion, I would like to mention the MITRE SHIELD framework. As much as ATT&CK is a dynamic repository of adversary TTPs, Shield is a repository of active defense tactics and techniques to organize and navigate what we know about adversary engagement and counter defense measures. While ATT&CK tactics categorizes by stage of hack, Shield tactics categorizes defender options viz. collect, contain, disrupt, etc. Each tactic contains multiple techniques which is further expanded upon to display tactic opportunity (DO), use case (DU), procedure (DP) and associated ATT&CK technique (T####). The best part I like about Shield framework is the mapping of Shield and ATT&CK frameworks at https://shield.mitre.org/attack_mapping/mapping_all.html.
For the first time, defenders have a roadmap to follow and understand the attacker TTPs that they can be effective against. I expect that the Shield framework will mature to an extent within the next few years where it will start appearing in RFPs and procurement decisions. If you need to know more, this is a good article https://blog.fuelusergroup.org/introducing-mitre-shield.
Many of the ideas here was acquired by me during my occasional readings, but mostly from the fantastic 4 hour course on this topic by BHIS that I attended a few months back. That entire recording is available on YouTube at the following links.
You can also check out this concise view on Getting Started with Cyber Deception at:
