Written by: Joe Carson, Sr. Director, Professional Services at Attivo Networks, Inc. – From time to time, I am asked to help a customer validate the efficacy of their deception implementation. This can be part of a pilot deployment, or after full operationalization. In many cases, organizations have some in-house resources for penetration testing and possibly even red team expertise. These resources are often leveraged to test product controls or test systems against a direct attack.
Evaluating Deception vs. Traditional Controls
The challenge is adapting traditional security validation to operationalized deception. Evaluating deception is different from assessing an individual system’s security. For example, if I want to test a firewall, I check network and application controls with the firewall in the path of communication. Testing system security controls, such as AV or EDR, I would look at bypassing local execution restrictions for malicious payload or other local system behaviors that achieve system compromise.
Deception, on the other hand, when properly deployed, is pervasive throughout the information architecture. It involves network-level decoys, breadcrumbs, and lures on legitimate systems, Active Directory, and even Man-in-the-Middle (MITM) protection. Therefore, there is no single component that can be independently evaluated to determine the effectiveness of the whole. Authentic deception will be indistinguishable from production, making it even more challenging for the evaluator. The entire assessment can be conducted without insight into where they were misled.
Creating a Playbook Leveraging MITRE ATT&CK
This is one of the reasons we are often asked to assist with structuring a realistic evaluation of the deceptive deployment. To that end, Attivo has developed a playbook that our customers can leverage for conducting a test by internal or external resources. The playbook walks through a typical attack pattern where a compromised patient zero begins discovery and reconnaissance, moves laterally, attempts additional persistence, and data exfiltration. In conducting these exercises, customers can be as comprehensive as needed to achieve their assessment. Depending on the resources and tools available to the organization, the playbook can be tailored for the necessary level of complexity. With that said, significant value can be shown by simply leveraging a single simulated patient zero, and without touching any additional production resources.
For this real-world example, we will help our anonymized organization, Robodyne International. Robodyne is doing a production pilot of the Attivo Networks ThreatDefend platform and has deployed it across several user network segments. They have not yet implemented any decoys in their datacenter, but, as part of the pilot, both workstation and server decoys of various operating systems have been deployed within the pilot scope. Additionally, Attivo’s Endpoint Deception Net (EDN) suite has been used across the production workstations that are in scope, with a rich mix of lures, visibility, and Active Directory security enabled.
Attivo Networks shared with Robodyne the assessment playbook, which is directly mapped to the MITRE ATT&CK framework. This allowed Attivo and Robodyne to jointly create an exercise that walked through an attack scenario that would meet their test criteria. The playbook points out specific tactics for each phase yet leaves the execution tools and specifics techniques open for the organization to choose on their own. This way, they do not feel forced into a specific methodology that could skew the perception of the tests.
For the Robodyne exercise, the organization simulated a successful phishing attack and injected a reverse shell on a windows workstation with C&C back to a Kali host. The goal of the exercise was to perform a realistic attack with lateral movement from patient zero and determine if and how their deception implementation could detect, alert, and redirect the attack.
The Attivo Networks ThreatDefend platform performed as expected, with detailed telemetry gathered from the start. It was noted that the execution of the reverse shell was detected by EDN, although this was not part of the evaluation. We were simulating a condition where the attacker had gained their initial foothold via an unknown exploit that bypassed all local EDR detection and gave the attacker logged on user privileges (non-local admin). We will focus on the activities beginning with discovery.
Detecting Discovery on Patient Zero
In a perfect world, we strive for detection as close to the source of initial compromise as possible. That is not always possible, which is why organizations deploy multiple tools for a layered approach. In this exercise, the attacker achieved access to the local resource. The detection of malicious discovery is challenging. The security architecture must differentiate between legitimate user activity, vs. nefarious intent. For domain-joined Windows workstations, this is doubly challenging. Any authenticated user can query Active Directory and perform full reconnaissance without restriction. Attivo’s EDN is uniquely suited to identifying these activities, as we will show.
One of the first operations the attacker performed was to enumerate Active Directory and query for various privileged accounts. Attivo’s EDN feature ADSecure intercepted the AD queries, and not only alerted on this activity but also injected deceptive responses to the queries. These events generated immediate alerting and were also supported by additional informational context on console activity occurring at the same time.
In addition to the local system discovery, the attacker performed local subnet reconnaissance. Since the deception architecture had workstation decoys projected, this local scanning was also detected. The decoys reported TCP half scans as well as probes on standard ports such as SMB, which the attacker used in a later stage.
The attacker chose several tactics for gathering credentials and passwords. For example, credentials were dumped from the browser password vault. As part of the breadcrumb campaign, deceptive credentials and deceptive internal web servers had been placed in the browser cache of patient zero. They, therefore, were part of the results returned to the attacker. In addition to extracting exposed credentials on the endpoint, the attacker then leveraged information provided by Active Directory for further credential exploitation. The attacker went after Service Principal Names (SPNs) on the domain controllers in preparation for a kerberoasting attack. This was not only detected but was thwarted by the Attivo platform. In the previous enumeration of Active Directory, deceptive domain controllers were returned by the query, hiding the real production servers. When the attacker attempted to gather the SPNs, the results came from the deceptive DCs. Even if the query had targeted the real production domain, deceptive SPNs could be injected into the production domain that contains accounts and destinations referencing deceptive objects.
The last attempt to gather credentials was performed by passively sniffing SMB traffic through the Meterpreter session. Attivo’s active MITM detection provided a deceptive credential and password hash, which was captured by the attacker who then used it during a pass-the-hash attack.
Lateral Movement Detection
As subtlety was not a specific requirement for this exercise, numerous attacks were launched, with some of the tactics noisier than others. During network discovery, the attacker identified a Linux system with SSH available. An attempt was made to brute force this decoy system. Additionally, the attacker used several attack methods against the identified web servers, which were detected by the Attivo’s CVE emulator.
As mentioned above, the attacker had successfully captured a user account and hash via SMB Relay sniffing. The attacker then attached to the target SMB share leveraging the pass-the-hash technique. This SMB share was part of the deceptive campaign and contained directories and documents intended to appear authentic, yet did not expose any sensitive information. As mentioned, subtlety was not a core requirement. Therefore the attacker also opened an RDP session to the same SMB server using the compromised deceptive account. Since the attacker had been lured into thinking he was accessing a legitimate file server, the authentication using a deceptive credential was successful.
Collection and Exfiltration
With access to the file server, the attacker collected and copied off the directory contents. Additionally, the attacker also accessed the decoy Linux server and grabbed various files to include the shadow password file for later manipulation.
In the interest of brevity, we have not included every technique used throughout the exercise. The purpose was to introduce the concept of evaluating a deception deployment by leveraging a framework such as MITRE ATT&CK. Organizations can script out a series of attacks that can test their deception implementation. In more advanced efforts, playbooks can be generated to simulate specific APTs for deception engagement. This example playbook was developed by choosing the techniques from the ATT&CK framework, mapping out the overall attack scenario, and then building the attacker’s actions and specific attacks from those techniques. Knowing which tactics/techniques are caught by a well-constructed deception strategy can help measure existing security control coverage and identify gaps.