When we talk about deception, we usually talk about detecting and preventing an attacker from executing lateral movement and accessing organizational assets. This post discusses using deception to actively catch an attacker who’s already deeply and comfortably entrenched in the network, and is a primer to our soon-to-be-released whitepaper on the same subject.
What’s different about an entrenched attacker?
We begin by describing the main differences in behavior between attackers who are new to the organization’s network, and attackers who are deeply entrenched and have remained undetected in the network for some time. The first difference that should be addressed is the attacker’s need to be active and move around in the network. From a deception perspective, one of the main things separating an attacker who’s positioned inside a network from a new attacker, is that a new attacker will usually not have access to the company’s inner data, communications, and so on. Therefore, they must work with what they find and try to use any lead they come across as information for lateral movement. As defenders, this works quite well to our advantage, as at this point we can bait the attacker to use our breadcrumbs for lateral movement. In contrast, an entrenched attacker who has had time to thoroughly learn the environment, gain a foothold, and position themself well, would need a good reason to take action.
The second difference we need to talk about is the attacker’s knowledge about the company and network. It wouldn’t be wise to say that a new attacker knows nothing—if they knew nothing, they wouldn’t have found a way in! With regard to the company, a new attacker has lots of data available online, plus whatever intel they manage to gather from within the network. In terms of knowledge about the network as a whole, they probably know much less. However, they do have knowledge about their current surroundings, as well as information about the network that’s available from outside (from Shodan or their own scans).
We also know that a new attacker is invested—they didn’t get all the way into the network for nothing! They are usually working actively within the network, getting in and out each day, trying to move laterally and escalate their privileges. An entrenched attacker, on the other hand, doesn’t need to do any of that; they’ve got at least a good grip on the network, if not full access to the production servers, and therefore don’t have to work as hard. They just sit back and watch as your valuable information is being exfiltrated into their hands.
The main differences between a new and an entrenched attacker can be summed up in this table:
What is a powerful grip?
Before we get into getting an attacker out of their hole, we need to understand the meaning of an attacker being entrenched, and what the capabilities of this attacker are. When we assume that the attacker is positioned well, it typically means they have the following:
- Domain Admin credentials, or equivalent
- Access to the company’s mail servers, allowing them to read and/or spoof emails
- Knowledge of key personnel in the company
- Access to the company’s key systems
Making an entrenched attacker act
OK, so now that we know who we’re dealing with, let’s talk about why anyone would reveal themself when they have this much control over the network. Basically, when an attacker has a strong grip on a network, they will not rush to act. Usually, they get the information they need by using an automated (to some extent) system that doesn’t require too much effort on their part.
Typically, when an attacker does act, it is due to the following reasons:
- They’re looking for a new source of information
- They’re looking for a backup source for the info they’ve already got
- They’re reacting to changes within the network. Those changes can be:
- Data changes – a source of information they’re currently collecting is moving to a new location
- Security changes – another security utility is added to the network, and they need to make sure it doesn’t affect them
- Routine maintenance – credentials they’re using are being replaced
- Personnel changes – people get fired and hired all the time, and attackers care about it, especially if the new fire/hire is a key person in the company
- They believe they are under investigation, and try to protect themself
Want to read more? Stay tuned for our whitepaper on the subject, which will go into detail on the above topics and dive further into how to use cyber deception to make an entrenched attacker act.
Shay Ingber, Cyber Security Engineer
Shay is a Cyber Security Engineer at Cymmetria, where he works on both research and development as part of the R&D team. Previously, Shay served as a non-commissioned officer in a cyber unit within Unit 8200 (Israel Defense Forces).