lure. deceive. defeat. - microsoftrnd.co.il kit/bluehat il decks/omerzohar.pdf · lure. deceive....

1Proprietary and confidential

Lure. Deceive. Defeat.Researching Deception for Accurate Post-Breach Detection

Omer ZoharHead of Research, TopSpin Security


Take your pick


Agenda

Deception in Post Breach Scenario?!

Putting Deception to the test

How to Deceit

Research Results

Wrap up


Why are we talking about post breach detection?

Patchy perimeters Chaotic internal networks

+

Fertile ground for attackers

=


Attackers have the advantage - Or do they?

The defender’s main advantage is the fundamental control of information

Which leads to the ability to apply

Deception


How Deception Works – Traps and Decoys

Assets Decoys


How Deception Works – Traps and Decoys

Assets DecoysTraps


Multiple detection mechanisms


Now wait a minute…


Defining the research questions

Do attackers really take the bait?

What is the ideal deployment strategy?

Are decoys and traps effective in real-life scenarios?


Workstation VLANServer VLAN1. Build the Environment

Let the Games Begin

Infected machine

2. Add data

3. Deception overlay

4. Build the challenge

5. Bring’em on!


CTF – Stats & Scores

• Ran over a month

• Over 50 security professionals from all over the world

• 6-7 hours on average per player

• 34 Malware samples

• ~1.9M log lines collected

Decorations

• 1491 Documents

• 5532 Emails

• 29 Users

• 31 application installed

• 3 Full Browser profiles (Chrome, IE, FF)

• 2 Corporate web applications

• 2 Databases

• 1 DC

• 1 DNS Server

• 1 Private cloud service

Hope I didn’t forget anything…


Exploiting the knowledge Gap

600

370

120 132

140

100

200

300

400

500

600

700

PHASE 1 PHASE 2 PHASE 3 PHASE 4 PHASE 5

AVERAGE # OF SHELL COMMANDS TO SOLVE CTF


Its so easy when you know where to look…

RTFM!


The Knowledge Gap =The difference between attacker’s

perception and reality


The Knowledge Gap =

The knowledge gap quickly decreases over time (but it always exists!)

The difference between attacker’s perception and reality


The Knowledge Gap =

A knowledgeable attacker = A sophisticated attack

The knowledge gap quickly decreases over time (but it always exists!)

Widen the Gap -> Increase Probability of Detection

The difference between attacker’s perception and reality


Trap Construction


Traps

Applications

File Based

• Passwords and Hash injections

• Windows Credential Manager

• Password Managers

Network

• Session Apps (SSH, FTP, RDP clients…)

• Browsers (History, Passwords, Bookmarks)

• App Uninstall information

Credentials

• Network Table Caches Poisoning (ARP, DNS, Netbios)

• Mounted Devices (Network Printers, Cameras)

• (half) Open Connection to decoys

• IT/Corporate Documents (txt, doc, xlspdf …)

• Canaries

• Emails (as file or inside PST)

• Logs

• Databases

• Recent files

• Host and lmHost files


File Based traps

• Simplest trap, yet most versatile

• Understanding the organization is crucial

plaintext configuration file A guide on how to use the corporate a VPN


Who Opened my files?

• Open sourced by

Canarytokens project


Emails

Most triggered Trap!Triggered by 27% of Contestants


Email


Traps

Applications

File Based




Network




Credentials





• Canaries


• Logs

• Databases

• Recent files



Arp Cache

• Static entries :-(

• Syn Spoofing :-)

Attackers were 14% more likely to access a decoy if viewed the Arp table.


Traps

Applications

File Based




Network




Credentials





• Canaries


• Logs

• Databases

• Recent files



Common Applications

• Any Application that contains credentials, locations or useful info

• Can be file or registry

• Installed or not…

• How to create?


Common Applications

• Leaked malware source are your friend

• 200+ potential applications…


Traps

Applications

File Based




Network




Credentials





• Canaries


• Logs

• Databases

• Recent files



Windows Credential Manager


Credential Injectionsputs honeytoken credentials into memory by calling the CreateProcessWithLogonW Windows API

to launch a suspended subprocess with the LOGON_NETCREDENTIALS_ONLY flag.

DCEPT


Guidelines to making of a good trap

Non-Intrusive Low attack surfaceBlend in


CTF – Stats & Scores

Deception numbers

• 177 Traps

• 11 Decoys

• 95 Decoy services

Only one clear winner emerged (and has the drone to prove it!)

61 files12 applications

10 IOT27 emails

2 network26 credentials

39 Canaries


Who Took My Bait?

• Traps consumed 340 times

• Overall 62% of traps laid were consumed

90%

70%

64%

50%

38%

18%

50%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0

20

40

60

80

100

120

140

App Email File IOT Credential Canary Network

Trap Type

Consumed Traps Count

Traps Touched count % of Unique Traps Touched

Average: 3.09 Max: 21

Min: 1

0.9

1

1.1

0 5 10 15 20 25

Consumed Traps Distribution


Man VS Machine

• Malware and Human Attackers present different behavior patterns

• Each Human Attacker triggered ~10.5 traps

• No one trap type covers all attackers. 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

App Email File IOT Credential Canary Network

Attacker Percentage Consumed each Trap type

Touched % of Human Attackers Touched % of Malware


From Traps to Detection

The attackers’ knowledge gap widened with every trap taken

Attackers may not use traps the way we intend them to(but they still get caught!)


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

172.20.40.6 RDP/3389

172.20.40.6 SMB/445

172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

172.20.50.6 SMB/445


One Man’s Gap

Decoy IP Service

172.20.40.4 RDP/3389

172.20.40.6 FTP/21

? 172.20.40.6 RDP/3389

? 172.20.40.6 SMB/445

? 172.20.40.6 HTTP/80

172.20.50.4 RDP/3389

? 172.20.50.4 SMB/445

172.20.50.4 HTTP/80

172.20.50.6 FTP/21

? 172.20.50.6 SMB/445

• Attacker “expands his horizons”

• Information gap gets wider as attacker gets tangled in the decoy

• Total time wasted > 4H


Decoy Access

• Contestant interacted with 9.7 different decoy services

1

10

100

1000

10000

100000Decoy Access By Popular Service group (logarithmic scale)


Decoy Access

• Less that 20% of attackers initiated most decoy events

• Scanning easily detected using decoys.

71.43%

-10%

0%

10%

20%

30%

40%

50%

60%

70%

80%

0 20 40 60 80

% O

f A

ll A

ttac

kers

Decoy Service Touched

Decoy Access Histogram


High Interaction Decoy Services

• 4 High interactivity Decoy access per attacker

• Attacker had hard time differentiating between decoy and real machines.

1

10

100

1000

10000

Decoy Access - Only High Interactivity events (logarithmic scale)


High Interaction Decoy Services

• Most scanners continued to interact with decoy

• Service Diversity is essential for efficient detection

• overall 66% of contestants detected by decoy.

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

% o

f al

lA

ttac

kers

Decoy Access by Percentage of accessed attackers

All DecoyEvents

HighInteractivityEvents


38%DecoysData

Analysis

BeaconsMultiple Detection engines

66%

25%

100%Detection


Just A small tidbit…


Wrap up

Deception increases attacker knowledge gapsThe bigger it is, the easier it to detect

Diversity - Key to get coverage on all types of attacks

Traps and decoys tailored for the organization

End Goal is Detection – not deception!Relying on multiple detection mechanisms will increase detection effectiveness


•

Newman got it half right


Find me:[email protected]

Get the full report at:www.topspinsec.com/resources

Thank You!