Intelligent deception technology exploits the need of an attacker to discover as much as they can about where they are in the organization’s network immediately post compromise. This is a process not a single event.
We have covered active directory and credential breadcrumbs, and file and data breadcrumbs and how they play important roles in Intelligent Deception. Now we look at network and application breadcrumbs and how they can be vital threat intelligent sources and important elements in your intelligent deception program.
There are a number of ways the decoys are designed to create network noise to lure attackers. The decoy communicates with assets in the organization. They communicate with the DNS server. They publish themselves using different protocols that are used to inform the environment about their existence – just like as other assets in the organization. This deception behavior is an effective lure for attackers to conduct MITM (man-in-the-middle) attacks. It adds entries to the ARP cache (address resolution protocol) and shows open connections to the decoys. Attackers investigating the ARP cache for interesting IPs and MAC addresses spot the decoy information and pursue that false trail or intervene with the protocols that lure them to attempt MITM interception but which can actually trigger automated and validated alerts to the security team.
Application breadcrumbs should ideally be broad and varied. Session application breadcrumbs drop tempting SSH, FTD, RDP credentials for would-be attackers. Web browser breadcrumbs create a trail that leads to decoys through history, cookies, stored passwords and bookmarks. The deceptive illusion comes alive when attackers see expected data.
Deception solutions are a very good source for threat intelligence and detecting infected assets inside the organization. Because they interact with attackers – unlike perimeter or endpoint solutions that attempt to block them – they can monitor attacker activity and track the patterns of its advance.