lure. deceive. defeat. - microsoftrnd.co.il kit/bluehat il decks/omerzohar.pdf · lure. deceive....
Post on 06-Jul-2018
230 Views
Preview:
TRANSCRIPT
1Proprietary and confidential
Lure. Deceive. Defeat.Researching Deception for Accurate Post-Breach Detection
Omer ZoharHead of Research, TopSpin Security
3Proprietary and confidential
Agenda
Deception in Post Breach Scenario?!
Putting Deception to the test
How to Deceit
Research Results
Wrap up
4Proprietary and confidential
Why are we talking about post breach detection?
Patchy perimeters Chaotic internal networks
+
Fertile ground for attackers
=
5Proprietary and confidential
Attackers have the advantage - Or do they?
The defender’s main advantage is the fundamental control of information
Which leads to the ability to apply
Deception
10Proprietary and confidential
Defining the research questions
Do attackers really take the bait?
What is the ideal deployment strategy?
Are decoys and traps effective in real-life scenarios?
11Proprietary and confidential
Workstation VLANServer VLAN1. Build the Environment
Let the Games Begin
Infected machine
2. Add data
3. Deception overlay
4. Build the challenge
5. Bring’em on!
12Proprietary and confidential
CTF – Stats & Scores
• Ran over a month
• Over 50 security professionals from all over the world
• 6-7 hours on average per player
• 34 Malware samples
• ~1.9M log lines collected
Decorations
• 1491 Documents
• 5532 Emails
• 29 Users
• 31 application installed
• 3 Full Browser profiles (Chrome, IE, FF)
• 2 Corporate web applications
• 2 Databases
• 1 DC
• 1 DNS Server
• 1 Private cloud service
Hope I didn’t forget anything…
13Proprietary and confidential
Exploiting the knowledge Gap
600
370
120 132
140
100
200
300
400
500
600
700
PHASE 1 PHASE 2 PHASE 3 PHASE 4 PHASE 5
AVERAGE # OF SHELL COMMANDS TO SOLVE CTF
15Proprietary and confidential
The Knowledge Gap =The difference between attacker’s
perception and reality
16Proprietary and confidential
The Knowledge Gap =
The knowledge gap quickly decreases over time (but it always exists!)
The difference between attacker’s perception and reality
17Proprietary and confidential
The Knowledge Gap =
A knowledgeable attacker = A sophisticated attack
The knowledge gap quickly decreases over time (but it always exists!)
Widen the Gap -> Increase Probability of Detection
The difference between attacker’s perception and reality
19Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections
• Windows Credential Manager
• Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…)
• Browsers (History, Passwords, Bookmarks)
• App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xlspdf …)
• Canaries
• Emails (as file or inside PST)
• Logs
• Databases
• Recent files
• Host and lmHost files
20Proprietary and confidential
File Based traps
• Simplest trap, yet most versatile
• Understanding the organization is crucial
plaintext configuration file A guide on how to use the corporate a VPN
25Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections
• Windows Credential Manager
• Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…)
• Browsers (History, Passwords, Bookmarks)
• App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xlspdf …)
• Canaries
• Emails (as file or inside PST)
• Logs
• Databases
• Recent files
• Host and lmHost files
26Proprietary and confidential
Arp Cache
• Static entries :-(
• Syn Spoofing :-)
Attackers were 14% more likely to access a decoy if viewed the Arp table.
27Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections
• Windows Credential Manager
• Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…)
• Browsers (History, Passwords, Bookmarks)
• App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xlspdf …)
• Canaries
• Emails (as file or inside PST)
• Logs
• Databases
• Recent files
• Host and lmHost files
28Proprietary and confidential
Common Applications
• Any Application that contains credentials, locations or useful info
• Can be file or registry
• Installed or not…
• How to create?
29Proprietary and confidential
Common Applications
• Leaked malware source are your friend
• 200+ potential applications…
30Proprietary and confidential
Traps
Applications
File Based
• Passwords and Hash injections
• Windows Credential Manager
• Password Managers
Network
• Session Apps (SSH, FTP, RDP clients…)
• Browsers (History, Passwords, Bookmarks)
• App Uninstall information
Credentials
• Network Table Caches Poisoning (ARP, DNS, Netbios)
• Mounted Devices (Network Printers, Cameras)
• (half) Open Connection to decoys
• IT/Corporate Documents (txt, doc, xlspdf …)
• Canaries
• Emails (as file or inside PST)
• Logs
• Databases
• Recent files
• Host and lmHost files
32Proprietary and confidential
Credential Injectionsputs honeytoken credentials into memory by calling the CreateProcessWithLogonW Windows API
to launch a suspended subprocess with the LOGON_NETCREDENTIALS_ONLY flag.
DCEPT
33Proprietary and confidential
Guidelines to making of a good trap
Non-Intrusive Low attack surfaceBlend in
34Proprietary and confidential
CTF – Stats & Scores
Deception numbers
• 177 Traps
• 11 Decoys
• 95 Decoy services
Only one clear winner emerged (and has the drone to prove it!)
61 files12 applications
10 IOT27 emails
2 network26 credentials
39 Canaries
36Proprietary and confidential
Who Took My Bait?
• Traps consumed 340 times
• Overall 62% of traps laid were consumed
90%
70%
64%
50%
38%
18%
50%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0
20
40
60
80
100
120
140
App Email File IOT Credential Canary Network
Trap Type
Consumed Traps Count
Traps Touched count % of Unique Traps Touched
Average: 3.09 Max: 21
Min: 1
0.9
1
1.1
0 5 10 15 20 25
Consumed Traps Distribution
37Proprietary and confidential
Man VS Machine
• Malware and Human Attackers present different behavior patterns
• Each Human Attacker triggered ~10.5 traps
• No one trap type covers all attackers. 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
App Email File IOT Credential Canary Network
Attacker Percentage Consumed each Trap type
Touched % of Human Attackers Touched % of Malware
38Proprietary and confidential
From Traps to Detection
The attackers’ knowledge gap widened with every trap taken
Attackers may not use traps the way we intend them to(but they still get caught!)
39Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
40Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
41Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
172.20.40.6 RDP/3389
172.20.40.6 SMB/445
172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
172.20.50.6 SMB/445
42Proprietary and confidential
One Man’s Gap
Decoy IP Service
172.20.40.4 RDP/3389
172.20.40.6 FTP/21
? 172.20.40.6 RDP/3389
? 172.20.40.6 SMB/445
? 172.20.40.6 HTTP/80
172.20.50.4 RDP/3389
? 172.20.50.4 SMB/445
172.20.50.4 HTTP/80
172.20.50.6 FTP/21
? 172.20.50.6 SMB/445
• Attacker “expands his horizons”
• Information gap gets wider as attacker gets tangled in the decoy
• Total time wasted > 4H
43Proprietary and confidential
Decoy Access
• Contestant interacted with 9.7 different decoy services
1
10
100
1000
10000
100000Decoy Access By Popular Service group (logarithmic scale)
44Proprietary and confidential
Decoy Access
• Less that 20% of attackers initiated most decoy events
• Scanning easily detected using decoys.
71.43%
-10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
0 20 40 60 80
% O
f A
ll A
ttac
kers
Decoy Service Touched
Decoy Access Histogram
45Proprietary and confidential
High Interaction Decoy Services
• 4 High interactivity Decoy access per attacker
• Attacker had hard time differentiating between decoy and real machines.
1
10
100
1000
10000
Decoy Access - Only High Interactivity events (logarithmic scale)
46Proprietary and confidential
High Interaction Decoy Services
• Most scanners continued to interact with decoy
• Service Diversity is essential for efficient detection
• overall 66% of contestants detected by decoy.
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
% o
f al
lA
ttac
kers
Decoy Access by Percentage of accessed attackers
All DecoyEvents
HighInteractivityEvents
47Proprietary and confidential
38%DecoysData
Analysis
BeaconsMultiple Detection engines
66%
25%
100%Detection
49Proprietary and confidential
Wrap up
Deception increases attacker knowledge gapsThe bigger it is, the easier it to detect
Diversity - Key to get coverage on all types of attacks
Traps and decoys tailored for the organization
End Goal is Detection – not deception!Relying on multiple detection mechanisms will increase detection effectiveness
top related