Written by: Carolyn Crandall, Chief Deception Officer and CMO – The Role of Deception in Stopping Attackers Mid-Breach
The morning it all went wrong, when you realize that someone has compromised your company…and it’s bad!
The morning starts off as a routine day of a security operations center lead. Except, as you’re looking over Active Directory, you notice accounts that weren’t there during the last audit. You dig into a specific account and realize that it has AD admin rights. After searching further, you see that there is no record of anyone requesting or creating it. You dig deeper, only to find that the account has access to all your critical network assets.
It’s that chilling moment when you first realize that attackers have compromised your organization. You now need to quickly figure out how bad the situation is and hope that your incident response plan is as good as you designed it to be.
The following is inspired by actual events, with elements added to protect the identity of the company.
You don’t know for how long, but you know that where there is one account, there are likely more. These attackers own your network. You don’t know who they are. You don’t know where they are. You don’t know what they want. You do know that any overt action you take to get rid of them, they can counter.
In a typical situation, there may be very little you can do, and you may have to wait until your incident response team can arrive to help. However, with this customer, since they had deception, they could do a great deal.
Most people think of deception technology as a helpful tool for early and accurate detection but haven’t considered the immense value that deception can deliver mid-compromise to avoid a full-scale breach. Note, however, that not all deception is created equal and the ability to defend in this manner relieson the incident response functionality built into the Attivo Networks ThreatDefend Platform. Specifically, to be effective in a mid-compromise recovery scenario, the deception solution must extend across the network, endpoint, application, and data layers, and cover a wide variety of attack surfaces. Also, given the knowledge that the adversary now has, deception authenticity is critical in getting them to believe and engage with the traps and bait that will be used to eradicate and mitigate the return of the attacker.
For example, credential deception planted at the endpoint is a good first step when deployed pre-compromise and can quickly detect credential theft and reuse. However, in this particular case, it will not suffice because the attackers have already compromised AD and have administrative rights to the domain. This is where decoy network deception comes into play.
New systems regularly come on and off the networks. Adding decoys to the network that appear the same as production assets is a useful next step in the investigation, particularly when you can create an entirely deceptive AD server as a trusted domain to the production AD. This new domain entices closer scrutiny by the attackers which would identify potentially unknown AD administrative accounts. Additionally, the new decoys could host applications, databases, and other services that the attackers may access, quickly exposing compromised systems. For example, a financial institution can deploy a deception SWIFT terminal as a “test” server. In this case it was a deception credit card “development” server with a web page front-end and a database back-end with fake account information that was added to attract the attacker and gain additional threat intelligence.
Most solutions only offer detection, but when attackers have infiltrated your network, it’s extremely valuable to have the ability to gain intelligence on attacker TTPs, IOCs, and insight into their objectives to strengthen overall defenses and prevent them from re-entering the network. The ThreatDefend platform automatically collects all of this information upon engagement and DecoyDocs can be deployed for data loss tracking, empowering organizations to track stolen documents inside or outside the network. In this case, the Attivo deception solution provided rich threat-, adversary-, and counter-intelligence, which was used to streamline incident response and build a pre-emptive defense based on strategically setting traps based upon where the attackers would likely move to next.
Finally, once the attackers are safely isolated in the deceptive environment (while they believe they are escalating their attack), you can begin to isolate them from the network through a variety of native, 3rdparty integrations. You can begin the process to eradicate them by using the TTPs and IOCs you’ve gathered to identify and remediate the infected systems and fraudulent accounts they have been using to access your network
What this customer learned most from this incident was that even during a compromise, deception technology is a highly efficient and effective way to detect and remediate early an advanced threats within the network. Deception is a powerful complement to traditional security tools that are simply not designed to detect threats that are already inside the network, delivering early and accurate visibility and effectively closing the detection gap. With deception technology, organizations can deploy deceptive assets to detect attackers early, remediate threats quickly, and finally get clear visibility of the network.
The process for eradicating this threat was an expensive and tedious process for this organization. One of the greatest lessons learned was the power of deception in incident response. This organization was just being introduced to deception at the time, they are now a major fan of the technology and have increased their investment to cover a broader scope for detection and within their incident response playbook.