Reverse Deception: Organized Cyber Threat Counter-Exploitation (68 page)

Adobe PDF

Compressed ZIP files

Public key infrastructure (PKI) and other certificates

At this point, several new documents were generated by the CCI team that were newer than the information that had been on Mr. Smith’s system. The analysis team also sent this information from a known colleague of Mr. Smith to increase the perceptual consistency and authenticity of the transmitted materials. Some of the documents provided information on special research and development initiatives that were crucial new security technologies that would change the face of the organization’s security posture.

The team sat down and discussed the deception plan, They decided that in order to lure the cyber threat out into the open, they would need some juicy false intelligence to
focus
the threat on a specific
objective
within a
timely
manner. This would allow the CCI team to identify how motivated, skilled, and resourceful the active threat was. The CCI team leader spent a day interacting with other officials, and decided that a project that had been proposed six months earlier and was benched was a great fit, if certain modifications were made to the proposal materials within a 24-hour period. The next step was to
integrate
the plan into the rest of the organization by having a handful of other senior members begin a dialogue with Mr. Smith via e-mail about this new project and how important and critical the project was to the overall organization’s competitive advantage. Mr. Smith received and sent e-mail messages with a perceptually consistent theme, and the other executives replied with short but very strong messages, after taking seemingly enough time to review the content.

This content included a project proposal, financial information, logistical information, and even some information on a recently initiated demo of that new competitive advantage system. This was all performed within a 72-hour period, ensuring the focus had remote access to the local backdoor the threat currently held over this honeypot image of Mr. Smith’s system.

By monitoring the processes and functions of the honeypot, the CCI team was able to clean Mr. Smith’s real system, and everything that was on his system was analyzed. Fortunately, the enterprise security team had a full packet-capture system for their enterprise network. They were able to determine how much information may have been leaked from Mr. Smith’s production image. After identifying that only minimal information had been leaked, as the threat didn’t use any form of encryption on the first- or second-stage Trojan, it was easy to see what was left. Once the team had determined that not enough information had been leaked, they decided to continue with the deception operation against the elusive threat.

After the stage had been set with the content-staged information (falsified information to mislead the focus), and the organization manufactured dialogue regarding this new project and its importance, the Trojan on Honeypot 1 transmitted the findings to the remote server. The Trojan collected every piece of information that had been staged by the CCI team. The only step was to watch and wait for the focus to change the threat’s direction to that new project, which were in reality systems within a honeynet (Honeynet 2) using a customized third-generation honeynet suite. Unfortunately for the threat, the focus did change the team’s objectives, and entered the honeynet that was waiting for the threat. More information on currently available honeynet solutions will be covered in depth in
Chapter 8
.

Postmortem

The CCI team collected volumes of valuable intelligence on the threat over the course of a few weeks. Once there was enough intelligence collected on the tools, tactics, and objectives of the threat, the CCI team turned off all of the systems and moved on to the next set of intrusions. Mr. Smith had access to his cleaned system, and the intruders were attributed to an ongoing intrusion set against the organization that had been an ongoing threat for well over eight years (Chinese hackers). One of the threats had even inadvertently typed into the system shell a few sentences to a colleague, which were probably meant for another application or an instant messenger platform and their true identities (source of the threat, Chinese hackers) had been divulged inadvertently and things went back to how they were.

For the purpose of this tale, we cannot divulge specifics, but can convey the overall steps that were taken to lure the focus into taking action against the threat with a fully planned operational deception that lured a targeted threat into an area where it could be monitored, analyzed, and attributed (thanks to the unobservant Chinese hacker).

Conclusion

You have just read a handful of tall tales based on professional experiences of the authors. We needed to move things around a little, but the context is completely accurate, and the steps that were taken are also accurate.

There are many ways to implement an operational deception within your organization to counter an active threat. Most important to the operation is the coverage from your leadership and legal departments. However, there are things such as honeytokens (digital traps, accounts, or files that shouldn’t be touched, and when they are touched, the security team is notified) that can be used as trip wires (booby traps). Threats can also use radio frequency-based technologies to hop from one device to another (such as from portable electronics to a PC or printer) and propagate from there. These types of deceptions can be found only by investigating (having access to) the network traffic.

By using the control of your enterprise, you can do almost anything you must in order to get the intelligence you need to control the battlefield terrain (your network). Remember the principles of deception: determine the motivation and intent of the threat. Without performing some level of counterintelligence operations, you will not learn anything, and the onslaught will continue.

In the next chapter, you will learn about some of the tools, tactics, and methods used in some of these tall tales (and also some tall tales that were taken out by a three-letter agency as we were on the verge of going to jail for writing about them). But if you want more information, feel free to catch up with one of us at a conference.

CHAPTER

8

Tools and Tactics

T
here are numerous ways you can interact with an advanced or persistent threat. Most organizations will simply take the compromised machines offline and have them rebuilt for circulation back into the enterprise. This may suffice if you are dealing with an opportunistic criminal who has no direct interest in your enterprise’s data. However, this approach almost never works when you have a persistent threat that is willing to use advanced techniques to maintain a steadfast presence on your network for a specific motive or objective.

One of the most important things you need to remember is that you have physical control of your enterprise (in theory), while your attacker is likely far away without any direct physical access to your network. This is a serious advantage that most organizations overlook: you have the ability to choose where to battle or engage an adversary within the confines of your own enterprise. Some may not feel this is the best choice and we argue with that concept. In a perfect world threat would be external to your enterprise and we do not live in a perfect world. We know at this very moment your enterprise has at least one form of malicious code running through one of your systems or devices. The “not” knowing where a threat
is
within your network can be extremely damaging.