Originally published in Information Magazine on March 26, 2018.
Machine automation provides leverage to attackers to scale out attacks beyond human capacity. However, machine analysis has its limits on the types of data it can assess compared to human capabilities. Recently Fidelis Cybersecurity completed a capture the flag exercise with deception defenses involving over 50 white-hat hackers and a dozen automated malware types. This enabled Fidelis to analyze a human attacker’s behavior versus malware behavior, or how humans and malware would interact with the deception layer.
In this blog series, we first learned that early detection is critical while the knowledge gap is wide for attackers as they quickly become more effective and evasive the more they learn about a network environment. Next, we gained some critical insights on breadcrumb, trap, and decoy varieties that can help make deception defenses deterministic. We also learned that any deployed deception layers need automation to be kept current and dynamic to be as realistic as possible to lure and engage attackers and thus diverting them away from real assets, resources, and data.
Now we turn our focus on the differences between human attackers and automated malware attacks involving deception defense elements. The chart below shows the differences for traps and breadcrumbs touched by humans versus malware within the capture the flag exercise. The number below each trap type is their volume represented within the deployed deception layer.
The results clearly show that automated malware attacks prefer structured data (e.g. applications and web browsers), whereas, humans prefer unstructured data they can freely analyze (e.g. information within files and emails). For the most part, both human and malware attackers seek credentials and information to gain access within the network environment they target. This distinct pattern enables deception defenses to quickly determine the type of attack – human or malware.
With regards to passwords and credentials that were used as breadcrumbs, participants in the exercise discovered two passwords on average and then utilized each one 2.5 times on average. The maximum reuse of a single password was 11 times in 11 unique places.
Pro-Tip: If you use the same password for multiple systems, this analysis shows you should avoid this practice. Migrate to unique long pass phrases with less rotation and always consider multi-factor authentication when available.
In general, human attackers are attracted to files that may contain configuration instructions for an application with a username and password for a specific individual or a shared account. Another popular file example is technical documents such as those providing information on how to use a corporate VPN service. Personal files with confidential information, IT/Corporate files, logs, databases, and reviewing recent files for Windows or Office are popular with human attackers and make good breadcrumbs and traps. Poisoned data within files including fake, planted credentials provides a valuable lure to detect attackers as they reuse them.
On the other hand, malware due to its machine automation prefers structured data found in applications. Examples include session apps (SSH, FTP, RDP clients, etc.), web browsers (history, passwords, bookmarks), and uninstall information for applications. Almost every application saves some type of information useful to attackers and often in a structured data format. Learning about how malware analyzes applications is aided by the leaking of trojan programs on the internet. There are over 200 known applications repeatedly monitored by malware automation making reconnaissance a valuable activity.
Understanding the differences in how humans and malware approach attacks creates the opportunity to create an active, intelligent deception defense to lure, detect, and defend. To learn more about deception and the capture the flag exercise, read the entire in-depth white paper. The next blog in this series we will address the myths of deception defenses.