Setec Astronomy, Cocktail Parties, and Busting Honeypots.
By Joseph R. Salazar
In 1992, Robert Redford starred with Dan Akroyd, Sidney Poitier, David Strahairn, and River Phoenix in a little-known but well-received movie called Sneakers. In the movie, Redford plays Martin Bishop, who heads a team of security experts who hire themselves out to companies who want to test their security systems. When Bishop is blackmailed by Government agents into stealing a top secret black box, the team uses their considerable skills to recover it, only to find out that It can decrypt all encrypted systems around the world, making it extremely valuable. To complicate matters, they find out that the agents who ordered them to get the box weren’t really part of the Government, but instead were involved with someone from Bishop’s somewhat shady past.
Deception plays a prominent role in the movie, and those who have seen it know that Setec Astronomy is an anagram for “Too Many Secrets”, a gaggle of geese can sound like a cocktail party, Government agents aren’t necessarily on the “right” side, and seeing the team break into places in creative ways was great fun.
What makes the movie relevant to this blog is that it was probably one of the first portrayals of what has become known as third party Penetration Testing. Bishop’s team conducted activities that are very familiar to pentesters and Red Teams: close-action activities that involve physical penetration tests, remote network compromises, intelligence gathering, very creative problem solving, and even social engineering (“My voice is my passport.”). Nowadays, there are many more attack vectors that penetration testers and real attackers can leverage to break into a network.
As market adoption is demonstrating, Deception is an effective way to even the playing field and get early detection of a threat that has made it past perimeter defensive solutions. Attackers and Penetration Testers/Red Teams are also becoming familiar with deception deployments and are utilizing ways to identify deception in the network and on endpoints to avoid them. One such method is an open-source tool called HoneyBuster.
The HoneyBuster project is an open-source tool designed to allows Pentesters and Read teams with “minimal knowledge” to detect or avoid network or endpoint elements that might seem suspicious and/or fake. It looks for deception through:
- Kerberoasting Service Accounts – identifies fake user accounts
- Fake Memory Credentials – identifies memory-resident fake credentials
- Fake Computer Accounts – identifies network honeypots
- Fake Credential Manager breadcrumbs – identifies fake stored fake credentials
- Fake Domain Admin accounts – identifies fake Active Directory domain administrative accounts
- Fake Mapped Drives – identifies fake network drives
- DNS Records Manipulation – identifies fake DNS-registered endpoints
How did the ThreatDefend platform fare against this? We are pleased to say, exceptionally well. What we found was that it did not detect the ThreatDefend network decoys and endpoint lures and in some instances, it erroneously reported real items as fake or suspicious. It came as no surprise to us that the ThreatDefend platform could avoid detection because it was designed to be both attractive and authentic.
The ThreatDefend platform has been repeatedly recognized for being the most authentic deception solution based on its use of full operating systems and its ability to be fully customized, even to the point of using production golden images that make the decoys look identical to production assets. To add to that authenticity, the ThreatDefend Platform will integrate deeply with Active Directory by adding a fully deceptive AD environment as a trusted domain to injecting deceptive objects into the production active directory. Such deep integration makes the deception indistinguishable, even to such tools as HoneyBuster.
Nowhere is this more evident than in our performance against Pentesters and Red Teams in real engagements. In the most recent example, we assisted a healthcare organization in deploying a BOTsink and ThreatStrike as part of their preparation for a Red Team test. When the Red Team first engaged, they found our Windows XP and Windows 2008 Active Directory decoys and engaged with them, thinking they were production systems. Needless to say, the fact that the Blue Team caught the Red Team on the first day was validation that our ThreatDefend platform worked as advertised. Below are some of the screenshots of that engagement. The reconnaissance and engagement activity are immediately detected.
The ThreatDefend Platform continually demonstrates that it can pass close scrutiny from experienced Red Teams and Pentesters, even those as skilled as Bishop’s team in Sneakers. With Attivo, organizations can have the confidence that they are getting the best detection capabilities available and that the solution is designed for the anticipating attacker, whether it be the human attacker themselves or the automated tools they may choose to try.
For more information on testing you security controls see our blog Measuring the Effectiveness of Security Controls.