{"id":2617,"date":"2018-05-17T11:09:35","date_gmt":"2018-05-17T18:09:35","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=2617"},"modified":"2018-05-17T11:09:35","modified_gmt":"2018-05-17T18:09:35","slug":"detection-of-breach-campaigns-by-using-distributed-deception","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2018\/05\/17\/detection-of-breach-campaigns-by-using-distributed-deception\/","title":{"rendered":"Detection of  Breach Campaigns by using Distributed Deception"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Todayb\u0000\u0019s breaches are predominantly carried out in a series of sophisticated, multi-stage attacks. The stages involved in such an attack can best be described by a b\u0000\u001cCyber Kill Chain&#8221;. This, as per MITRE ATT&amp;CK Adversary Tactic Model [11] breaks down cyber intrusions into the steps shown in the following figure.<\/span><br \/>\n<img loading=\"lazy\" class=\"wp-image-2618 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/image1-1024x235-1024x235-1.png\" alt=\"\" width=\"592\" height=\"136\" \/><br \/>\n<span style=\"font-weight: 400;\">As discussed in the <\/span><a href=\"https:\/\/www.acalvio.com\/dont-be-a-sitting-duck-make-your-breadcrumbs-lures-dynamic\/\"><span style=\"font-weight: 400;\">previous blogs<\/span><\/a><span style=\"font-weight: 400;\"> and the <\/span><a href=\"https:\/\/www.acalvio.com\/wp-content\/uploads\/2018\/05\/Spreading-Techniques-and-Deception-based-Detection-Acalvio-Technical-White-Paper.pdf\"><span style=\"font-weight: 400;\">white paper <\/span><\/a><span style=\"font-weight: 400;\">deception solution deploys breadcrumbs and lures at the endpoint. These breadcrumbs and lures can be :<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey authentication values in the browsers such as adding honey authentication in b\u0000\u001cHKEY_CURRENT_USER\\Software\\Microsoft\\InternetExplorer\\IntelliForms\\Storage2b\u0000\u001d for IE7, honey authentication values at b\u0000\u001c\\Local\\Google\\Chrome\\User Data\\Default\\Login Datab\u0000\u001d for Chrome etc..<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey mapped drives <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey entries in the ARP cache<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey RDP links,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\"> Honey entries in the keychain<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey entries in the files such as password files under %APPDATA% folder.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey entries in the active directory <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey connection from the Endpoint \/ Web Server to the services such as databases in the network,<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey email addresses in the address book of Outlook, <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey DNS server, <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Honey authentication values in the processes such as lsass. <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\"> These end-point lures point to the honey services such as SMB, FTP, Databases in the subnet. Since the static breadcrumbs are interspersedB with the real endpoint assets, there is always a possibility of legitimate assets getting used by a threat actor. This problem of legitimate assets<\/span>B getting used by the threat actor can be reduced by increasing the density of the breadcrumbs and lures at the endpoint.<br \/>\n<i><span style=\"font-weight: 400;\">If there are b\u0000\u001cmb\u0000\u001d legitimate services and b\u0000\u001cnb\u0000\u001d honey services then if B { [ m \/ (n + m) ] &lt;= 0.001} it will ensure the probability of accessing legitimate services remains less than equal to 0.1 %. <\/span><\/i><br \/>\n<span style=\"font-weight: 400;\">In our<\/span><a href=\"https:\/\/www.acalvio.com\/detection-of-prevalent-threats-by-distributed-deception\/\"><span style=\"font-weight: 400;\"> previous<\/span><\/a><span style=\"font-weight: 400;\"> blog, we analyzed six prevalent worms and malware. We discussed the precise breadcrumbs and lures that are required at the endpoint and honey services in the network and the conditions that will lead to their detection. In the following table 1.0, we have taken three breadcrumbs and listed the breaches that could have been diverted by using these breadcrumbs. The three breadcrumbs which we have considered are honey entries in the ARP cache, honey mapped drives and honey passwords in the browser and in the processes such as lsass. The reports of these breaches have been published publicly and are mentioned in the references.<\/span><br \/>\n<img loading=\"lazy\" class=\"wp-image-2619 aligncenter\" src=\"https:\/\/acalvio.p2staging.us\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-05-17-at-11.03.17-AM-1024x868-1.png\" alt=\"\" width=\"568\" height=\"481\" \/><br \/>\n<span style=\"font-weight: 400;\">From the above table we can draw the following inferences:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The deception platform gets triggered during the Credential Access, Discovery, Lateral Movement phases. Hence it complements other defenses which get triggered during the Initial Access, Execution, Persistence, Privilege Escalation, Defensive Evasion phases. These phases are as per the MITRE ATT&amp;CK Matrix for the Enterprise. <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In some of the breaches, for example, Orangeworm [1] reported on April 23rd, 2018, B targeting hospitals, a deception platform would have been able to divert the multi-stage attack at multiple places by having honey entries in the ARP cache and also by having honey drives. <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">These inferences make deception based architecture a recommended architecture to prevent modern-day breaches.<\/span><br \/>\n<b>References:<\/b><br \/>\n<span style=\"font-weight: 400;\">[1] New Orangeworm attack group targets the healthcare sector in the U.S. , Europ, and Asia B B B <\/span><a href=\"https:\/\/www.symantec.com\/blogs\/threat-intelligence\/orangeworm-targets-healthcare-us-europe-asia\"><span style=\"font-weight: 400;\">https:\/\/www.symantec.com\/blogs\/threat-intelligence\/orangeworm-targets-healthcare-us-europe-asia<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[2] APT 37 The overlooked North Korean Actor, <\/span><a href=\"https:\/\/www2.fireeye.com\/rs\/848-DID-242\/images\/rpt_APT37.pdf\"><span style=\"font-weight: 400;\">https:\/\/www2.fireeye.com\/rs\/848-DID-242\/images\/rpt_APT37.pdf<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[3] B Bronze Butler Targets Japenese Enterproses <\/span><a href=\"https:\/\/www.secureworks.com\/research\/bronze-butler-targets-japanese-businesses\"><span style=\"font-weight: 400;\">https:\/\/www.secureworks.com\/research\/bronze-butler-targets-japanese-businesses<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[4] A window into Russian Cyber Espionage Operations ? <\/span><a href=\"https:\/\/www2.fireeye.com\/rs\/fireye\/images\/rpt-apt28.pdf\"><span style=\"font-weight: 400;\">https:\/\/www2.fireeye.com\/rs\/fireye\/images\/rpt-apt28.pdf<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[5]Cozy Duke, <\/span><span style=\"font-weight: 400;\">https:\/\/www.f-secure.com\/documents\/996508\/1030745\/CozyDuke<br \/>\n<\/span><span style=\"font-weight: 400;\">[7]Operation Cleaver, <\/span><a href=\"https:\/\/www.cylance.com\/content\/dam\/cylance\/pdfs\/reports\/Cylance_Operation_Cleaver_Report.pdf\"><span style=\"font-weight: 400;\">https:\/\/www.cylance.com\/content\/dam\/cylance\/pdfs\/reports\/Cylance_Operation_Cleaver_Report.pdf<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[8] Muddying The Water : Targeted Attacks in The Middle East<br \/>\n<\/span><a href=\"https:\/\/researchcenter.paloaltonetworks.com\/2017\/11\/unit42-muddying-the-water-targeted-attacks-in-the-middle-east\/\"><span style=\"font-weight: 400;\">https:\/\/researchcenter.paloaltonetworks.com\/2017\/11\/unit42-muddying-the-water-targeted-attacks-in-the-middle-east\/<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[9] Monsooon Campaign <\/span><a href=\"https:\/\/github.com\/Cyb3rWard0g\/ThreatHunter-Playbook\/blob\/master\/adversary_attribution\/MONSOON.md\"><span style=\"font-weight: 400;\">https:\/\/github.com\/Cyb3rWard0g\/ThreatHunter-Playbook\/blob\/master\/adversary_attribution\/MONSOON.md<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[10] Leviathan<br \/>\n<\/span><a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets\"><span style=\"font-weight: 400;\">https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[11] Mitre ATT&amp;CK Adversary Model, <\/span><a href=\"https:\/\/attack.mitre.org\/wiki\/Main_Page\"><span style=\"font-weight: 400;\">https:\/\/attack.mitre.org\/wiki\/Main_Page<br \/>\n<\/span><\/a><span style=\"font-weight: 400;\">[12] Stealth Falcon, <\/span><a href=\"https:\/\/citizenlab.ca\/2016\/05\/stealth-falcon\/\"><span style=\"font-weight: 400;\">https:\/\/citizenlab.ca\/2016\/05\/stealth-falcon\/<br \/>\n<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Todayb\u0019s breaches are predominantly carried out in a series of sophisticated, multi-stage attacks. The stages involved in such an attack can best be described by a b\u001cCyber Kill Chain&#8221;. This, as per MITRE ATT&amp;CK Adversary Tactic Model [11] breaks down cyber intrusions into the steps shown in the following figure. As discussed in the previous [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4526,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2617"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2617"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2617\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/4526"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}