Reverse Deception: Organized Cyber Threat Counter-Exploitation (120 page)

Has the threat
decided
to take the actions you thought he might take (careful not to mirror)?

Has the threat
acted
on those within the constraints you envisioned? Has he acted in such a way that will cause you to modify your action/reaction plan?

Vetting Deceptions

It has been one week since you set your plan in motion. You noticed a problem on your network, conducted an analysis to determine what you thought was your focus’s goal, and set up an environment in which your focus would be successful, or so he thought. You had a wide range of options, but chose to establish a honeypot, populating it with information you assessed the focus would find desirable. The honeypot you set up with a plethora of supposedly valuable documents has been successfully compromised by the attacker. Now it is necessary to see if your focus has taken the bait.

Monitoring the logs of your analysis system allows you to view exfiltration activity, providing you with immediate feedback of whether your deception operation is proceeding as planned. If you view the log and notice that your focus took only one of your “priceless” documents on one day, don’t despair. The focus may be the cautious type, determining if the document contained anything he thought was valuable and deciding if his newfound gold mine was legit. If the focus keeps coming back to grab more documents, then you can feel reasonably assured that your deception operation is proceeding as you desired. On the other hand, don’t be surprised if the focus grabs all of those documents in one fell swoop. This is not uncommon, as he may be worried that he will lose access before all the items could be obtained. If this happens, still keep watch to see if the focus returns, as this may be an indicator that he believes the environment and documents are real.

The information you placed on your honeypot is only one aspect of your deception operation though. It may be that the focus doesn’t desire your sensitive information (though given the nature of adversarial operations these days, that’s unlikely). You still have the opportunity to monitor the logs and learn how your focus operates. If the attacker stays focused on this honeypot, he may be convinced that this was his target. The longer he stays in the honeypot, the more you can learn, and the more time you will have to shore up the defenses on your real network based on your newfound knowledge of the attacker. If the threat is not seeking your sensitive information, and is simply looking to use your corporate resources for further nefarious activity, then you will have a better understanding of the threat and the knowledge that this is possibly an opportunistic threat. The biggest caveat about honeypots is that the focus may use them to move further through your network and into a partner’s network or other trusted networks that your enterprise is connected to.

If the documents were the threat’s target, how you vet the success of your deception now depends on the type of information you put in those documents. Unfortunately, this may take a little patience. If you placed information related to your company strategy or your latest product, you will need to keep an eye on your competitors. If you notice they have announced a new product or a change in their own strategy that loosely matches where your company was going, this may be an attribution indicator. A military organization may take a different approach. If the military unit placed false defense plans on the honeypot, it could watch and see if any friends or foes have taken measures to counteract the discovered plans. Once again, this can provide clues that the deception operation is working, while also helping determine the culpable party.

Vetting your deceptions may be a short-term proposition, may extend to be a long-term observation activity, or both. Whatever the case, when working your deception operation, be prepared to constantly evaluate your successes and failures.

Vetting Perceptual Consistency in a Deception

When building a deception, you need to ensure all facets of the deception are timely and in place in order to make sure your focus does not identify the deception and move away from it. Your goal is to have the focus of your deception welcome the information being fed to him in order for your operations to successfully continue.

Here is a quick list of things to think about when you are vetting the perceptual consistency of a deception against a focus:

Network layout
Does the deceptive component of your network look just like the operational/production components of your network?

Host configuration
Does the deception encompass the true host-based configuration of the rest of your enterprise (specifically if you have a corporate image or build)?

Host profiles
Does the user account naming convention match what an active threat would be used to seeing across your enterprise?

Host content
Does the host have the appropriate types of content on the system, such as the following:

        
Documents surrounding what employees may have on their systems (in practice, you can leverage documents from systems that have already been compromised or modified versions of originals)

        
Browser favorites consistent with interests of an employee of your organization

        
Browser history consistent with an individual of the organization