Post by Nick Palmer, Sales Engineer
Make no mistake. Sophisticated attackers rarely behave the way you’d expect. Whether sitting stealthily on compromised machines for weeks, months or even years, or performing reconnaissance and attacking benign targets with apparently inscrutable motives. At TrapX we have seen incredibly creative examples of the ways that black hats seek to monetise their trade. See ‘Zombie Zero’ for a case study into just this point.
However, one thing does offer a measure of predictability. The desire of sophisticated hackers to stay out of jail, and to maximise the material value of what they’ve managed to exploit. What this means is that the modern hack resembles more of a game of ‘Thief’ or ‘Assassin’s Creed’ than the more energetic and less subtle ‘Tower of Guns’-type campaign that might have predated ubiquitous IDS and IPS presences. Attackers, having secured a position on your network will only move laterally when they have secured what they’re sure is an advantageous or potentially valuable target. Further to this, they are able to cover their tracks with extraordinary efficiency. I recall an article that suggested that Russian law so comprehensively punished cyber-attacks on Russian personnel or property that as soon as Russian attackers identified that they had breached such targets, they would completely uninstall themselves from the compromised machines as if they had never been there.
This raises an interesting challenge for security professionals seeking to catch attackers and understand their Techniques, Tactics and Procedures (TTPs). Once the attacker has delivered his payload to the target organisation, he is likely then to perform a complete back-out of the initial compromised system. If you were lucky, you’d be left with a compromised IP address and possibly a packet capture that may reveal some of the tools he used, but all of the really valuable data – Indicators of Compromise, ARP history, browser downloads, possibly unsigned processes are all removed. You’re none the wiser as to how the attacker got in, and the original attack vector could simply be re-purposed in a different location at a different time.
What is clearly required is a means of capturing all of the valuable forensic data from the compromised client machine before the attacker even has a chance to back out of the infected machine. Imagine, a laterally moving attacker is quietly mapping your network. He is unaware that you have deployed Deception in your environment, so he has identified an interesting network share on the machine he has managed to compromise. He has some cached browser credentials that he is considering exploring. He has some entries in the local hosts file that look promising. As soon as he touches any of these decoys, not only are you alerted, but additional components of the solution immediately begin to capture from the compromised machine exactly the sorts of Indicators of Compromise that is required for effective Incident Response. Even if the attacker realises that he’s breached a decoy and is likely to be discovered imminently, even if he DOES manage to back out and uninstall, it’s too late. The forensic information is captured, and you’re in a position to remediate to ensure that the vulnerability that was used is patched and unavailable for use a second time. At TrapX we call that Advanced Incident Response. Incident Response, accelerated and augmented.