Lure. Deceive. Defeat. - Chapters Site from 3rd... · Lure. Deceive. Defeat. ... perception and reality. 18 Proprietary and confidential The Knowledge Gap = ... to launch a suspended

2 Proprietary and confidential

Lure. Deceive. Defeat. Benchmarking Offensive Deception Traps and Lures

John Cebulski Director of Sales Engineering, TopSpin Security


%

Welcome, No ones.

As you know, GRRM corp have been withholding the manuscript of the final book of the series from being released in order to maximize profits from media outlets!

We believe the public deserves to get the original ending to the series in their lifetime and not being tortured by alternate story lines. Therefore, we concluded to take action in the name of humanity and set the information free to public!

After months of preparations, we have successfully infiltrated GRRM corp, and maintained persistence in a low level employee's machine inside the GRRM corporate network.

It is your job to successfully find and exfiltrate all 5 parts of the manuscript, assemble and decrypt them in order for us to release it to the public! The Information needs be free!!!

Valar Morghulis!


Take your pick


Agenda

Deception in Post Breach Scenario?!

Putting Deception to the test

How to create deception

Research Results

Wrap up


Why are we talking about post breach detection?

Patchy perimeters Chaotic internal networks

+

Fertile ground for attackers

=


There is no 100% Prevention

Third Party tools

Hackers / Hacktivists Employees

Partners/ Customers

Shadow IT


Attackers have the advantage - Or do they?

The defender’s main advantage is the fundamental control of information

Which leads to the ability to apply Deception


How Deception Works – Traps and Decoys

Assets Decoys


How Deception Works – Traps and Decoys

Assets Decoys Traps


Now Wait a minute…

Seems like nobody checked

Does it really work

So we did…


Defining the research questions

Do attackers really take the bait?

What is the ideal deployment strategy?

Are decoys and traps effective in real-life scenarios?


Workstation VLAN Server VLAN 1. Build the Environment

Let the Games Begin

Infected machine

2. Add data 3. Deception overlay 4. Build the challenge 5. Bring’em on!


CTF – Stats & Scores

• Ran over a month • Over 50 security professionals

from all over the world • 6-7 hours on average per

player • 34 Malware samples • ~1.9M log lines collected

Decorations • 1491 Documents • 5532 Emails • 29 Users • 31 application installed • 3 Full Browser profiles (Chrome, IE, FF) • 2 Corporate web applications • 2 Databases • 1 DC • 1 DNS Server • 1 Private cloud service

Hope I didn’t forget anything…


Exploiting the knowledge Gap

600

370

120 132

14 0

100

200

300

400

500

600

700

PHASE 1 PHASE 2 PHASE 3 PHASE 4 PHASE 5

AVERAGE # OF SHELL COMMANDS TO SOLVE CTF


The Knowledge Gap = The difference between attacker’s perception and reality


The Knowledge Gap =

The knowledge gap quickly decreases over time (but it always exists!)

The difference between attacker’s perception and reality


The Knowledge Gap =

A knowledgeable attacker = A sophisticated attack

The knowledge gap quickly decreases over time (but it always exists!)

Widen the Gap -> Increase Probability of Detection

The difference between attacker’s perception and reality


Trap Construction


Traps

Applications

File Based

• Passwords and Hash injections • Windows Credential Manager • Password Managers

Network

• Session Apps (SSH, FTP, RDP clients…) • Browsers (History, Passwords,

Bookmarks) • App Uninstall information

Credentials

• Network Table Caches Poisoning (ARP, DNS, Netbios)

• Mounted Devices (Network Printers, Cameras)

• (half) Open Connection to decoys

• IT/Corporate Documents (txt, doc, xls pdf …)

• Canaries • Emails (as file or inside PST) • Logs • Databases • Recent files • Host and lmHost files


File Based traps

• Simplest trap, yet most versatile • Understanding the organization is

crucial

plaintext configuration file A guide on how to use the corporate a VPN


Who Opened my files?

• Open sourced by

Canarytokens project


Emails

Most triggered Trap! Triggered by 27% of Contestants


Wait… Can our users get in the way?


Permissions and System

• Hidden + System directory • Locked to Domain Admin User • Files Inside are unique traps • Access to folder monitored by a

canary.


Traps

Applications

File Based


Network



Credentials







Arp Cache

• Static entries :-( • Syn Spoofing :-)


Traps

Applications

File Based


Network



Credentials







Common Applications

• Any Application that contains credentials, locations or useful info

• Can be file or registry • Installed or not…

• How to create?


Common Applications

• Leaked malware source are your friend

• 200+ potential applications…


Browsers – Chrome Browsing History


Traps

Applications

File Based


Network



Credentials







Windows Credential Manager


Credential Injections puts honeytoken credentials into memory by calling the CreateProcessWithLogonW Windows API

to launch a suspended subprocess with the LOGON_NETCREDENTIALS_ONLY flag.

DCEPT


Guidelines to making of a good trap

Non-Intrusive Low attack surface Blend in



CTF – Stats & Scores

Deception numbers

• 177 Traps

• 11 Decoys

• 95 Decoy services

Only one clear winner emerged (and has the drone to prove it!)

61 files 12 applications

10 IOT 27 emails

2 network 26 credentials

39 Canaries


Who Took My Bait?

• Traps consumed 340 times • Overall 62% of traps laid

were consumed

90%

70%

64%

50%

38%

18%

50%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0

20

40

60

80

100

120

140

App Email File IOT Credential Canary NetworkTrap Type

Consumed Traps Count

Traps Touched count % of Unique Traps Touched

Average: 3.09 Max: 21

Min: 1

0.9

1

1.1

0 5 10 15 20 25

Consumed Traps Distribution


Who Took My Bait?

• Malware and Human Attackers present different behavior patterns

• Each Human Attacker triggered ~10.5 traps

• No one trap type covers all attackers.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

App Email File IOT Credential Canary Network

Attacker Percentage Consumed each Trap type

Touched % of Human Attackers Touched % of Malware


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

172.20.40.6 RDP/3389

172.20.40.6 SMB/445

172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

172.20.50.6 SMB/445


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

172.20.40.6 RDP/3389

172.20.40.6 SMB/445

172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

172.20.50.6 SMB/445


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

172.20.40.6 RDP/3389

172.20.40.6 SMB/445

172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

172.20.50.6 SMB/445


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

? 172.20.40.6 RDP/3389

? 172.20.40.6 SMB/445

? 172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

? 172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

? 172.20.50.6 SMB/445

• Attacker “expands his horizons”

• Information gap gets wider as attacker gets tangled in the decoy

• Total time wasted > 4H


Passwords

• Attackers treat credentials as a holy grail. • Act as an amplifier • Attackers found average of 2 credentials each. • Every password found got used in 2.5 times on average. • Max used: 11 different places


ARP “Poisoning”

• Interaction with traps built into ARP increased the likelihood of tapping a decoy by 14%.

52% 48%

66%

34%

Did not tap decoy

Tapped decoy

Accessed ARP Table “General Population”


Decoy Access

• Contestant interacted with 9.7 different decoy services

1

10

100

1000

10000

100000Decoy Access By Popular Service group (logarithmic scale)


High Interaction Decoy Services

• 4 High interactivity Decoy access per attacker

• Attacker had hard time differentiating between decoy and real machines.

1

10

100

1000

10000Decoy Access - Only High Interactivity events (logarithmic scale)


38% Decoys Data

Analysis

Canaries Multiple Detection engines

66%

25%

100% Detection


Wrap up

Deception increases attacker knowledge gaps The bigger it is, the easier it to detect

Diversity - Key to get coverage on all types of attacks Traps and decoys tailored for the organization

End Goal is Detection – not deception! Relying on multiple detection mechanisms will increase detection effectiveness


Thank You…

Questions??


Browsers – Chrome Browsing History