Businesses can guarantee detection of unwanted intruders by setting up a variety of active deception mechanisms across their networks, a new research report has advised in the wake of a live field test that pitted more than 50 white-hat hackers against a range of deception techniques.
Researchers at network-visibility firm TopSpin Security set up a capture-the-flag type exercise in which a defined data set was planted on a target network, which was then surrounded with a host of traps and deception mechanisms. The target network was configured with 29 users, 1491 documents, 5532 emails, 31 installed applications, three full browser profiles, two corporate Web applications, two databases, and a host of supporting infrastructure.
Participating hackers were charged with finding and extracting the data without being detected – and in the end, none were able to do so.
Decoys were found to be highly effective, with two-thirds of the hackers tricked into infiltrating parts of the network that had been configured with network monitors capable of spotting their activity. Others were picked up by deception mechanisms such as data traps and beacon traps, which trigger alarms after any attempts to access false data or applications that no legitimate user or application would ever need to access.
“Diversity was key to effective detection-by-deception,” the report’s authors noted. “Different attackers were drawn to different traps. Non-sophisticated network intel-gathering attempts were quickly and accurately detected by decoys.”
A range of decoys was used, including extra network devices, servers, and desktops that have no actual function within the enterprise. This included 11 decoy systems – including seven Windows 7 workstations, two Windows Servers, and one Ubuntu Linux server – and 95 decoy services.
TopSpin’s test environment also included a range of ‘mini-traps’ including files, documents, email messages with 1x1 tracking pixels, false login credentials, distinctive ‘poisoned data’, and system resources that create a trail of digital ‘bread crumbs’ to pique attackers’ interest.
A total of 61 files, 39 beacon traps, 27 emails, 26 credentials, 12 applications, 10 Internet of Things devices, and 2 network traps were installed and monitored for signs of tampering; like physical tripwires, access to these can then be tracked using beacons that trigger when that specific data is used.
“The more tailored traps and decoys were to the specific environment, they more effective they were,” the report’s authors noted. “By occupying the attacker as much as possible through interaction with the decoy, defenders can also delay the attacker from fulfilling the attack’s real purpose.”
The full report offers a range of tips for businesses keen to get more proactive about building their network-security defences – an approach that is becoming increasingly widely recommended as attackers get bolder and more effective in penetrating networks to exfiltrate data.
Such code has recently been found to be targeting Australian and global banks, with Odinaff malware spotted by Symantec researchers and predominantly targeting the financial sector. Some 34 percent of all Odinaff attacks targeted financial-services companies, with Australian organisations targeted in 19 percent of observed attacks.
These types of attacks reflect the type of infiltration that TopSpin’s deception tactics are designed to intercept. “These attacks require a large amount of hands on involvement,” Symantec researchers noted, “with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest.”
“There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks,” they added amidst warnings that they had uncovered evidence of tools capable of “manipulating SWIFT customers’ transfer logs and wiping computers to hide traces of activity.”
“Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed. The attacks require a high degree of expertise to perform, but the outcome can be highly lucrative.”