Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Detection of Breach Campaigns by using Distributed Deception

by Team Acalvio | May 17, 2018

Today’s breaches are predominantly carried out in a series of sophisticated, multi-stage attacks. The stages involved in such an attack can best be described by a “Cyber Kill Chain”. This, as per MITRE ATT&CK Adversary Tactic Model [11] breaks down cyber intrusions into the steps shown in the following figure.

As discussed in the previous blogs and the white paper deception solution deploys breadcrumbs and lures at the endpoint. These breadcrumbs and lures can be :

Honey authentication values in the browsers such as adding honey authentication in “HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\IntelliForms\Storage2” for IE7, honey authentication values at “\Local\Google\Chrome\User Data\Default\Login Data” for Chrome etc..
Honey mapped drives
Honey entries in the ARP cache
Honey RDP links,
Honey entries in the keychain
Honey entries in the files such as password files under %APPDATA% folder.
Honey entries in the active directory
Honey connection from the Endpoint / Web Server to the services such as databases in the network,
Honey email addresses in the address book of Outlook,
Honey DNS server,
Honey authentication values in the processes such as lsass.

These end-point lures point to the honey services such as SMB, FTP, Databases in the subnet. Since the static breadcrumbs are interspersed with the real endpoint assets, there is always a possibility of legitimate assets getting used by a threat actor. This problem of legitimate assets getting used by the threat actor can be reduced by increasing the density of the breadcrumbs and lures at the endpoint.

If there are “m” legitimate services and “n” honey services then if { [ m / (n + m) ] <= 0.001} it will ensure the probability of accessing legitimate services remains less than equal to 0.1 %.

In our previous blog, we analyzed six prevalent worms and malware. We discussed the precise breadcrumbs and lures that are required at the endpoint and honey services in the network and the conditions that will lead to their detection. In the following table 1.0, we have taken three breadcrumbs and listed the breaches that could have been diverted by using these breadcrumbs. The three breadcrumbs which we have considered are honey entries in the ARP cache, honey mapped drives and honey passwords in the browser and in the processes such as lsass. The reports of these breaches have been published publicly and are mentioned in the references.

From the above table we can draw the following inferences:

The deception platform gets triggered during the Credential Access, Discovery, Lateral Movement phases. Hence it complements other defenses which get triggered during the Initial Access, Execution, Persistence, Privilege Escalation, Defensive Evasion phases. These phases are as per the MITRE ATT&CK Matrix for the Enterprise.
In some of the breaches, for example, Orangeworm [1] reported on April 23rd, 2018, targeting hospitals, a deception platform would have been able to divert the multi-stage attack at multiple places by having honey entries in the ARP cache and also by having honey drives.

These inferences make deception based architecture a recommended architecture to prevent modern-day breaches.

References:

[1] New Orangeworm attack group targets the healthcare sector in the U.S. , Europ, and Asia https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
[2] APT 37 The overlooked North Korean Actor, https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
[3] Bronze Butler Targets Japenese Enterproses https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
[4] A window into Russian Cyber Espionage Operations ? https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
[5]Cozy Duke, https://www.f-secure.com/documents/996508/1030745/CozyDuke
[7]Operation Cleaver, https://www.cylance.com/content/dam/cylance/pdfs/reports/Cylance_Operation_Cleaver_Report.pdf
[8] Muddying The Water : Targeted Attacks in The Middle East
https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
[9] Monsooon Campaign https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/adversary_attribution/MONSOON.md
[10] Leviathan
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
[11] Mitre ATT&CK Adversary Model, https://attack.mitre.org/wiki/Main_Page
[12] Stealth Falcon, https://citizenlab.ca/2016/05/stealth-falcon/