SANS Institute InfoSec Reading Room - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Interested in learning more
about cyber security training?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Deception Matters: Slowing Down the Adversary with
illusive networks®
Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost
the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber
rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In
this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection
capabilities to show cyber deception in action.
Copyright SANS Institute
Author Retains Full Rights
Deception Matters: Slowing Down the Adversary
with illusive networks®
A SANS Product Review
Written by Eric Cole, PhD
May 2017
Sponsored by
illusive networks®
©2017 SANS™ Institute
Introduction
Based on the number of system breaches, the frequency of compromises and the amount
of damage being caused, it’s clear adversaries have the advantage over organizations
today. It is also evident that what organizations are doing to prevent breaches is not
working, and that the amount of money being spent on security has little to no impact
on slowing down attackers. One reason they have an advantage is they can easily create
an accurate map of their targets and use it to traverse through sensitive systems, all while
hiding under routine procedures and familiar traffic patterns. In addition, most defensive
approaches are passive, meaning they wait for the adversary to make the first move.
TAKEAWAY: To go on the offensive, organizations need to use the same stealth and deception their
Deception is a game changer. adversaries do. Instead of making it easy to find rich targets, what if attackers were
The fundamental benefit of provided a very realistic but false view of reality, starting with an incorrect road map of
the network, applications and vulnerabilities? What if there were traps and pitfalls on
deception technology is that
every network and every system along that road map? This is the heart of deception:
it creates an illusion of reality
Provide the adversary a false sense of reality and take back the advantage.
in which the adversary cannot
In this paper, instead of just extolling the benefits and advantages of deception, we
differentiate between the two.
explore how to put deception into action with a hands-on review of illusive networks’
deception technology. Using simulated scenarios, we detail how deception works in the
real world to give defenders the advantage.
In testing this product, we knew deception had been deployed and we actively looked
for it. Instead, illusive networks’ technology found us (posing as malicious actors) first
and monitored our every move. No matter what adversaries do or try to do, they will
inadvertently access and trigger an illusive deception and be monitored from the
moment they begin their attack.
SANS ANALYST PROGRAM
1 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception
If you think you have not been attacked in the past year, you are fooling yourself. Attacks
are happening, as multiple SANS surveys point out,1 but you just aren’t looking in the
right place. This is why organizations can be compromised for two to three years without
detection—adversaries are stealthy, targeted, data-focused and programmed to sneak
past most of the current security technology deployed today.
Deception offers a twofold advantage:
• It provides so many additional targets that it greatly slows down adversaries,
making it harder for them to compromise critical resources.
• It not only gives the defense more time to respond but allows for detailed
monitoring of adversaries to see exactly what they are doing, how they are doing it
and how to stop them.
These two advantages lead to the ultimate goals of security: detecting threats in a timely
TAKEAWAY: manner and minimizing the damage.
With the threat vectors that
exist today, organizations need Anatomy of a Typical Attack
to recognize that they are Although attacks come in many variations and styles, the majority of them start through
going to be compromised and endpoints—particularly user endpoints—and then spread laterally through systems,
looking to exploit richer and richer targets. Attackers also routinely attempt remote
be prepared to quickly detect
attacks directly against discovered devices such as DNS servers, web servers and other
threats and prevent damage.
critical systems. They then steal data and credentials from the devices directly and also
use them as launch points to spread laterally inside the network.
Phishing and email-based social engineering are the top means by which attacks
penetrate organizations, according to the SANS 2017 Threat Landscape Survey.2 In the
survey, 75 percent of respondents identified their most impactful threats as initially
entering through an email attachment, while 46 percent also witnessed attacks that
started with users clicking email links.
To compromise the user’s system, the adversary must get the user’s password or exploit
a vulnerability or exposure, such as a lack of error checking, an outdated service or
an application vulnerability. After the system is compromised, the adversary usually
performs further lateral movement, targeting other critical assets similarly across the
network to map the network and locate the richest targets, such as Microsoft Exchange
or database servers.
1
“ Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,”
www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
2
“ Exploits at the Endpoint: SANS 2016 Threat Landscape Survey,”
www.sans.org/reading-room/whitepapers/firewalls/exploits-endpoint-2016-threat-landscape-survey-37157
SANS ANALYST PROGRAM
2 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED)
Beating Them at Their Game
Deception systems anticipate these movements and follow, log and interrupt them
by turning real endpoints and servers on the network into deception machines when
an attacker, attempting any of the aforementioned actions or others, trips the alarm.
Meanwhile, the attacker cannot see the real machine, and all of the attacker’s activity is
monitored in real time.
For example, the bait might be exposing some connection history, credential data,
adjacent systems and services in the data that is on the machine the attacker is on.
When attackers try to validate the data or connect using the bait, detection turns on,
and more and more deceptions—100 times more machines and accounts than actually
present, for example—cause the attackers to waste cycles while never knowing they’ve
been had.
Whatever adversaries The deployed deception comprehensively and strategically integrated with our review
try, they will environment (a virtual host and server architecture), greatly increasing the attack surface
for the attacker to fumble around in, as diagramed in Figure 1.
unwittingly access a
deception—and be
monitored from the
moment an attack
begins.
Figure 1. Deceptive Attack Surface from the Attacker’s Perspective
At any time, security personnel monitoring the actions can lock out the attacker; some
can be handled automatically through policy, while activities are logged and saved for
future detection and response.
SANS ANALYST PROGRAM
3 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED)
The illusive Deceptions Everywhere® Solution
Today, deception techniques are quite different than honey pots of the past, in that
deceptions are now more widely distributed, much more interactive with the attacker’s
actions, and more difficult for attackers to detect. With illusive’s Deceptions Everywhere
solution, deception is fully integrated across the entire network at multiple levels, with
deception so realistic that it fooled us and is almost impossible to bypass.
Intelligent Policy
Deceptions Everywhere is an intuitive, easy-to-use management solution that allows
deception techniques to be deployed in a scalable manner with minimal overhead.
With a few point-and-clicks, we were able to deploy and configure deceptions across
the simulated test environment. The solution also learns about and understands the
environment, and then autonomously creates and deploys deception techniques that fit
TAKEAWAY: within the environment and are adaptive and updatable.
While the power of deception
It then automatically deploys deceptive policy on each endpoint and server on the
has always been recognized, network, leveraging artificial intelligence (AI) to determine if a certain type of deception
the problem with wide- is appropriate or not on a per-endpoint basis.
scale deployment stems
The result is a deception deployment that is customized to every endpoint and server
from three main areas: on the network to look even more realistic to the attacker. The environment is then
scalability, manageability monitored for any changes, new deception suggestions are automatically generated,
and believability. With illusive and with just one click, the new deceptions are applied to the policy. See Figure 2.
networks’ solution, these
challenges have been solved.
Figure 2. User Names Generated for Deception Servers
SANS ANALYST PROGRAM
4 Deception Matters: Slowing Down the Adversary with illusive networks®
Benefits of Using Deception (CONTINUED)
Architecture
The Deception Management System™ (DMS) is responsible for deploying realistic
deceptions across the network that adapt to the current environment, and the illusive
Trap Server is the server attackers are sent to once alarms are triggered. Because the
solution is agentless, it requires no modification to existing systems or installation of
In setting up the software for the trap servers to operate.
environment, it When we (acting as our mock attacker) attempted to use and access a server by trying to
was obvious that log in and access a share, we were sent to the Trap Server. From there, our mock attacker
looked at connection history from the registry by dumping the browser database or
Deceptions Everywhere
employing search techniques on disk while using commands built into the operating
is not a tool but rather
system. All this activity, which is not usually detected by other security tools, triggered
a solution. In using more deceptions and so on. See Figure 3.
the product, it was
evident that it is a
preconfigured plug-
and-play solution.
Network discovery is
automatic, network
analysis is built in,
and it all deploys via a
single mouse click.
Figure 3. Attacker in Action: illusive networks Adapting to the Adversary
The general environment we tested was a virtual machine environment that simulated
a real-world environment. Also, we ran though several real-world case studies and
capture-the-flag exercises to verify and validate the authenticity of illusive networks’
approach to deception.
SANS ANALYST PROGRAM
5 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere
The two areas that cause the biggest issues for CIOs are agent solutions and in-line
devices. The illusive networks agentless solution is not in-line and requires no changes to
an existing infrastructure.
Key Components of Deception
In testing the DMS, we took a four-part approach to deploying deception within our
mock environment:
1. Analysis. For deception to be effective, it must be realistic and comprehensive,
and cover all key areas of a network. If a deception technique is deployed on
only the DMS or open ports that are not being used by the organization, it is not
TAKEAWAY:
believable and therefore not effective. When we worked with the solution, the
If attackers can avoid and
product adapted to and understood the environment with minimal interaction.
bypass deceptions, such
2. Deployment. Deceptions are non-impactful on legitimate users and network
measures offer little value to
and system operations, but impactful on the adversary. To slow down the
the organization because they adversary (us), illusive forced us to access multiple deception techniques.
don’t slow down or catch the
3. Monitoring. From initial compromise to setting up a pivot point to lateral
adversary.
movement, all malicious activities were automatically monitored so proper
action could be taken to control the overall damage. The illusive interface was
easy to use and allowed us to quickly see the before-and-after analysis of what
was deployed.
4. Adaption. IT environments are always changing and adversaries are constantly
learning, so deception must constantly be changing and adapting. As new
servers are added to an environment, old servers are removed and the network
is redesigned. As we made changes to the environment and deployed new
legitimate systems in our review, the solution automatically adapted and
changed the deception policy that was deployed.
SANS ANALYST PROGRAM
6 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
Policy Management
The key to this solution is the policy deployment and management, which began with
the DMS deployment, as stated earlier.
First, it used artificial intelligence and various machine learning techniques to
understand the environment, and automatically deployed deception techniques that
mirrored and aligned with our review network infrastructure. See Figure 4.
Figure 4. Overview of Deception Techniques Deployed in the Test Environment
SANS ANALYST PROGRAM
7 Deception Matters: Slowing Down the Adversary with illusive networks®
Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
Then, it automatically monitored and adjusted the deception techniques for each device
and server so we could focus on monitoring and tracking the adversary, as shown in
Figure 5, and not on installing and maintaining deception patterns.
Figure 5. Deceptions Everywhere’s Adaptive Techniques, Tailored to Our Review Environment
The screenshot in Figure 5 shows the deception that was deployed and the activity of
the adversary.
Machine Learning
DMS uses machine learning to engage each server or workstation and learn the unique
activities of each system on the network. This information was used to generate
deceptive policy reflecting the unique characteristics of the review environment.
While the solution allows an organization to tune and adjust, it can also be implemented
automatically with minimal administrator oversight. Initially we asked illusive’s interface
to make all of the decisions, and it effectively deployed realistic deception measures
across our mock environment.
SANS ANALYST PROGRAM
8 Deception Matters: Slowing Down the Adversary with illusive networks®Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
For example, in our review, illusive’s DMS learned the conventions and standards of
the virtual business and generated unique system names and usernames (targets for
attackers) for use with deceptive services and credentials, as shown in Figure 6.
Figure 6. Deceptive Server Names that Were Automatically Created
We could choose to be involved in setup and customization as much or as little as
we wanted. This indicated advancements in maturity of deception technologies
and their uses. The policy was then intelligently deployed and managed across the
environments so that every endpoint and server had deceptive data that was unique
and indistinguishable from the organic data on each machine (so it could not be
guessed or detected).
SANS ANALYST PROGRAM
9 Deception Matters: Slowing Down the Adversary with illusive networks®Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
Attacker View
To get a better view of the environment through the eyes of the adversary, illusive
networks created Attacker View™. The following gives an overview of the “virtual”
environment that is created by the DMS for attackers to fall into (see Figures 7 and 8).
Figure 7. Pre-deception Attacker View
Figure 8. Post-deception Attacker View
SANS ANALYST PROGRAM
10 Deception Matters: Slowing Down the Adversary with illusive networks®Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
When we switched from our view to the Attacker View, we could see the fake network
from an attacker’s perspective, and the relationships between systems and resources the
attacker would map to. In security, one of the rules of success is offense must inform the
defense. We saw the attack vectors, represented by the blue circles. These represent the
various deception techniques from extraneous servers, fake credentials and deception
shares. The Attacker View shows the deceptive entities deployed in the environment that
the attacker will try to take advantage of.
By combining any mix of deceptive connection information with real or deceptive
credential data, the attacker (us) is attempting to target real servers, but instead we are
covertly sent to the deception that is deployed without our knowing it. Figure 9 shows
the fake vectors used to attract our attacker.
Figure 9. Attacker View Revealing Attack Vectors
Attacker View allowed us to understand the real attack vectors by focusing on the risks
that actually matter to our environment.
SANS ANALYST PROGRAM
11 Deception Matters: Slowing Down the Adversary with illusive networks®Review and Use Case Scenarios for Deceptions Everywhere (CONTINUED)
In Figure 10, Attacker View showed us the threat intelligence to make the right decisions
around our attacker’s changing tactics.
Figure 10. Attacker View Displaying Deceptions While Tracking an Attack
The illusive solution
Attacker View also allowed us to make on-the-fly changes to the environment and see
acted automatically, the impact it had on the adversary in real time.
adapting with artificial
User View
intelligence to changes
In User View, we also explored how Administrative, Domain and Local User credentials
we added to the
naturally interact with the real environment. This impact analysis enabled us, acting as
environment. administrators rather than as attackers, to understand where concentrations of activity
take place and how credentials are used in order to determine how deceptive and
traditional security controls can be applied to the organization. See Figure 11.
Figure 11. User View Showing Administrator Privilege Abuse
SANS ANALYST PROGRAM
12 Deception Matters: Slowing Down the Adversary with illusive networks®Attack Scenarios
We started with Deceptions Everywhere turned off for our initial testing, and began
exploiting the review environment and moving laterally across systems without being
stopped. Within a short period, we were able to compromise several systems; had it
been a real attack, we could have caused damage—for example, captured additional
administrative credentials, accessed critical systems or exfiltrated sensitive data.
We then performed similar exploitations and movements with illusive turned on and
were easily detected by the system. As the attackers, however, we were unable to
detect illusive—we became completely lost in the deceptive data without being able to
differentiate between what was real and what was deceptive.
Deceptions Reviewed
While there are many variations, the three main deception methods utilized for this
review were:
• Share deceptions. Attackers look for shares as an easy way into a system and
sensitive information. Additional legitimate-looking shares were created by illusive
to slow down our adversary (us), but also provided valuable insight into what the
adversary was doing and attack methods.
• Credential deceptions. In this part of the review, we launched an elevation-of-
privileges attack, to elevate access from a normal user to a privileged account
such as root or admin. When attempting to do this in deceptive accounts, we felt
frustration from the perspective of the attacker because it kept sending us down
rabbit holes to research further. For the deception administrator it provided an
early warning system to show what the adversary (us) was doing.
• File deceptions. We wanted to access critical data, which is in files. With deception
deployed, this became almost an impossible task because it was difficult to
distinguish between legitimate data and fake data, leading us to spend significant
time harvesting fake information of little to no value.
SANS ANALYST PROGRAM
13 Deception Matters: Slowing Down the Adversary with illusive networks®Attack Scenarios (CONTINUED)
Lost in the Deception
With deceptions now deployed, it was time to repeat our exploitation of the
environment using the fundamental steps to gain access. Along the way, we were met
with various deceptions, as described in Table 1:
Table 1. Malicious Actions and Deceptions
Malicious Actions Taken Deceptions Deployed
Reconnaissance All deceptions
Scanning Share deceptions
Exploitation
• Pivot points Credential deceptions
• Internal reconnaissance Share deceptions
• Internal scanning File deceptions
• Data exploitation File deceptions
Creating back doors All deceptions
Covering our tracks All deceptions
Being a little skeptical, we were overly confident launching our attacks in the new
environment. Convinced we had identified a path to bypass the deception, we spent
time continuing our attack on what we thought were the legitimate systems. However,
when we switched and checked the Attacker View, we were embarrassed: Not only was
our analysis wrong, but we were caught red-handed by the illusive system. See Figures
12 and 13 to view illusive detecting our port scanning activities.
SANS ANALYST PROGRAM
14 Deception Matters: Slowing Down the Adversary with illusive networks®Attack Scenarios (CONTINUED)
Even though we
knew the system
was deployed and
Figure 12. Illusive User View Detecting Our Port Scan
knew how the system
worked, this advantage
proved no match for
illusive networks.
Figure 13. Illusive Forensic Analysis of Port Scan Attempt
SANS ANALYST PROGRAM
15 Deception Matters: Slowing Down the Adversary with illusive networks®Attack Scenarios (CONTINUED)
Tracking and Metrics
A common shortcoming of many security solutions is that they promise great things but
lack a way to track overall effectiveness. A valuable component of illusive’s solution is
provision of a variety of metrics to track the benefit of the deployed deceptive measures.
Taking deception to the See Figure 14.
next level of maturity,
metrics enable large-
scale management of
deception measures.
The metrics revealed
weaknesses and
needed improvements,
and informed us where
to tune the deception
measures to maximize
the benefit of the
illusive solution. Figure 14. Overall Dashboard Showing the Metrics for the Deception
The illusive DMS platform revealed that our ability to detect an advanced attacker
improved over time during our review. Attack surface information from the perspective
of the adversary—such as number of lateral movement targets per endpoint or number
of lateral movements to reach domain admin credential—was also provided.
SANS ANALYST PROGRAM
16 Deception Matters: Slowing Down the Adversary with illusive networks®Conclusion: Future of Deception
With many persistent, targeted attacks, prevention is in many cases postponing the
inevitable, because the adversary will eventually get in. Therefore, security is going to be
all about timely detection and damage control.
Setting up a virtual world of confusion clearly slows down attackers and makes
their job more difficult, but it is often forgotten that deceptions serve no legitimate
purpose, meaning no one should be connecting to these deceptions. If that occurs, the
TAKEAWAY:
probability of an adversary touching at least one of the deceptive measures is very high,
While deception was originally
which allows for early detection capability.
about slowing down the
The illusive solution provides a comprehensive way to deploy deception across an
adversary, in the future it will
environment with minimal to no human interaction. The deception is highly effective
move toward functioning as and covert, making it virtually undetectable when deployed within an existing
an early detection tool. environment. Even the most skilled adversary would access a deception technique,
allowing for early detection of an attack.
Expect deception technology to gain wider use and become more tailored to and
focused on an organization’s critical assets. If the databases’ servers, the applications
themselves and even the tables in the databases all have deception, it raises the
difficulty of attacks to a whole new level of complexity.
SANS ANALYST PROGRAM
17 Deception Matters: Slowing Down the Adversary with illusive networks®About the Author
Eric Cole, PhD, is a SANS faculty fellow, course author and instructor who has served as CTO of
McAfee and chief scientist at Lockheed Martin. He is credited on more than 20 patents, sits on
several executive advisory boards and is a member of the Center for Strategic and International
Studies’ Commission on Cybersecurity for the 44th Presidency. Eric’s books include Advanced
Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible and Insider Threat. As
founder of Secure Anchor Consulting, Eric puts his 20-plus years of hands-on security experience to
work helping customers build dynamic defenses against advanced threats.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
18 Deception Matters: Slowing Down the Adversary with illusive networks®Last Updated: October 15th, 2018
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Houston 2018 Houston, TXUS Oct 29, 2018 - Nov 03, 2018 Live Event
SANS Gulf Region 2018 Dubai, AE Nov 03, 2018 - Nov 15, 2018 Live Event
SANS Sydney 2018 Sydney, AU Nov 05, 2018 - Nov 17, 2018 Live Event
SANS DFIRCON Miami 2018 Miami, FLUS Nov 05, 2018 - Nov 10, 2018 Live Event
SANS London November 2018 London, GB Nov 05, 2018 - Nov 10, 2018 Live Event
SANS Dallas Fall 2018 Dallas, TXUS Nov 05, 2018 - Nov 10, 2018 Live Event
Pen Test HackFest Summit & Training 2018 Bethesda, MDUS Nov 12, 2018 - Nov 19, 2018 Live Event
SANS Mumbai 2018 Mumbai, IN Nov 12, 2018 - Nov 17, 2018 Live Event
SANS Rome 2018 Rome, IT Nov 12, 2018 - Nov 17, 2018 Live Event
SANS Osaka 2018 Osaka, JP Nov 12, 2018 - Nov 17, 2018 Live Event
SANS San Diego Fall 2018 San Diego, CAUS Nov 12, 2018 - Nov 17, 2018 Live Event
SANS November Singapore 2018 Singapore, SG Nov 19, 2018 - Nov 24, 2018 Live Event
SANS ICS410 Perth 2018 Perth, AU Nov 19, 2018 - Nov 23, 2018 Live Event
SANS Paris November 2018 Paris, FR Nov 19, 2018 - Nov 24, 2018 Live Event
SANS Stockholm 2018 Stockholm, SE Nov 26, 2018 - Dec 01, 2018 Live Event
SANS Austin 2018 Austin, TXUS Nov 26, 2018 - Dec 01, 2018 Live Event
SANS San Francisco Fall 2018 San Francisco, CAUS Nov 26, 2018 - Dec 01, 2018 Live Event
European Security Awareness Summit 2018 London, GB Nov 26, 2018 - Nov 29, 2018 Live Event
SANS Khobar 2018 Khobar, SA Dec 01, 2018 - Dec 06, 2018 Live Event
SANS Dublin 2018 Dublin, IE Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Santa Monica 2018 Santa Monica, CAUS Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Nashville 2018 Nashville, TNUS Dec 03, 2018 - Dec 08, 2018 Live Event
Tactical Detection & Data Analytics Summit & Training 2018 Scottsdale, AZUS Dec 04, 2018 - Dec 11, 2018 Live Event
SANS Frankfurt 2018 Frankfurt, DE Dec 10, 2018 - Dec 15, 2018 Live Event
SANS Cyber Defense Initiative 2018 Washington, DCUS Dec 11, 2018 - Dec 18, 2018 Live Event
SANS Bangalore January 2019 Bangalore, IN Jan 07, 2019 - Jan 19, 2019 Live Event
SANS Sonoma 2019 Santa Rosa, CAUS Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Amsterdam January 2019 Amsterdam, NL Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Threat Hunting London 2019 London, GB Jan 14, 2019 - Jan 19, 2019 Live Event
Secure DevOps Summit & Training 2018 OnlineCOUS Oct 22, 2018 - Oct 29, 2018 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self PacedYou can also read
