Posted by Moshe Ben Simon, Co-Founder, VP Services and TrapX Labs
Today I’d like to share an introduction to our newest project, the TrapX Global Deception Grid (GDG). The GDG is a global network of servers deployed within the Internet. The GDG now spans over 35 countries where we have one or more servers within a data center or in the cloud. Each of these servers include multiple instances of our DeceptionGrid™ product. The DeceptionGrid platform deploys and surrounds real IT resources with imitation IT devices (traps). Further, our DeceptionTokens™ sensor capabilities layer the GDG in an array of “lures” within our existing IT endpoints and servers. This combined and powerful array of traps and lures reduces time to breach detection and authoritatively identifies attackers.
To make it more challenging for attackers, each emulated server is populated with a shifting, growing and changing set of data designed to entice an attacker that penetrates that network. Some of the server IP addresses are also changing on a randomized basis. Further, our DeceptionTokens are similarly updated and “shape-shifted.” The combination of these technologies and techniques ensure that attackers are unable to identify these systems as decoys, allowing us to easily identify an attack and record valuable information about each and every attack.
These are human attackers – the people behind the term advanced persistent threat (APT). They are well funded, motivated, and highly sophisticated. Funded by organized crime, or worse yet, nation states, they have the best training, funding, and sophistication in the cyberwar environment. We’re toe-to-toe with them and we’re shape-shifting in real-time to deceive them, understand how they work, and ultimately make sure we have the tools that allow our customers to defeat them.
The goal is to identify attackers that have already penetrated our network and servers. We’re validating the integrity of our deceptions, as we do at our customer sites. Most important, we are building a deep understanding of human attackers and how they work. We’re watching their activity carefully. We’re able to track and understand their behavior and build models for how they move through the enterprise.
The GDG allows us to profile attacker behavior. We are watching their activities carefully, assembling profiles, tracking IP addresses and noting the behavior of groups and individual players. Every human attacker has a methodology and ultimately a signature. We are constantly finding them without their knowledge. Sometimes we are able to associate seemingly innocent IP addresses from multiple sources together to show that these are related to the same attacker. This is all “zero-day” information. Most of the time the IP addresses we find are not associated with any known malware or attackers.
In order to support this project, the team at TrapX Labs used our tools and automation to assemble substantial quantities of fake or “spin” data both for the DeceptionTokens and for the emulated traps. This included CRM and financial data, a wide variety of assorted files, customer records, and financial systems. We also provided servers which were set up SCADA (Industrial Control Systems). Our automated recording of all network traffic from all sensors into a massive database allows us to correlate this information using advanced analytics and big data to better understand attacker patterns. The traps were set – we sat back and waited.
The response was pretty instantaneous. This is amazing when you consider that these are sophisticated human attackers. These cyber attackers are regularly exploring servers around the globe and hail from almost every location that we know. We’re able to identify and track them and build profiles on their activity. They have not discovered our deception and continue to move unsuspecting deeper into our traps.
Let’s look at the anatomy of one particular attacker we discovered. This attacker initially set off an alert and then was subsequently tracked inside of one of our emulated financial servers. The attacker’s IP was 46.19.141.xxx. We had large quantity of files within the server which included a variety of fake password/user files and databases. Each server/application was identified by IP address so that you could log into the server to access the data and applications. We investigated this attacker at IP 46.19.141.xxx and found that this initial attacker was coming from a network associated with a hosting company in Zurich Switzerland. Someone inside that network was using their information assets to attack our GDG resources. More important is to note that this IP address was not in any current threat intelligence database.
Now the deception was firmly in place. Within one of our text file tables, we directed the attackers to servers that were also GDG components. One particular text file included a table of usernames, passwords, and servers. Anyone that used that username and password had to come from the GDG server that was originally attacked.
Then the most interesting things happened. Fascinating really.
We found our second financial server under attack using the password information that could only be obtained from the first server. Gotcha! We were reasonably certain that this was the first attacker now coming back using a different IP address to reap additional spoils and to steal data or divert funds. Clever, but not quite clever enough!
This attacker now came from a different IP address 5.254.65.xx which we were able to determine was associated with a virtual private network called Zenmate(r). Our team was able to determine that this IP belonged to Zenmate by analyzing the SSL certification behind the IP. Zenmate provides a virtual private network, which the attacker then used to encrypt his activity and obfuscate his physical location.
So what did we learn?
- Deception technology continues to provide the highest fidelity security data from attackers in real time, allowing users to identify an attack immediately, while recording their activity through a set of “decoy” infrastructure. We continue to validate our architecture and approach.
- We’re able to continually fool very sophisticated attackers, observe and correlate their behavior over time. Automated technology enables us to build profiles on these attackers and to document activity on attackers that exist in the other databases. We’re building a web around the attackers.
- We correlated two different IP addresses against this one attacker. Yes, it will take more activity to thoroughly identify this attacker, but we have the starting point that without our GDG would otherwise have not been identified. As we continue to observe additional behavior will be able to triangulate their position more accurately. We have as much time as they do, perhaps more.
- We’ve also discovered through behavioral analysis, for example, the types of files they seek to compromise. Most of the time they download everything, but what do they really look at carefully? Right now Microsoft(r) Excel files seem to be leading the pack. Or text files or Microsoft Word documents. Other documents such as Microsoft PowerPoint or Adobe(r) PDF seem to be less of a priority for them.
- This particular set of attackers doesn’t seem to be looking for password information in such files. However, they may be looking for intellectual property so these may be attractive for other reasons.
All in all, this has been both validation of our technology approach, and overall fascinating!
Will have more to share on the global deception grid, and many more global statistics to publish over time as our network continues to gain momentum. As we always say, attackers beware, DeceptionGrid is out there. We’re working for our customers, standing tall with the security operation center team, to fight cyber attackers, detect them rapidly, and then to help you defeat them.