Going on the Offense to Seed the Hunt
Varying degrees of attacking back have been hotly debated for years. Everything from fear of retaliation to collateral damage. Proponents claim that what we as a security collective have been doing for years is simply not working. The truth is, breach after breach is reported despite the millions, if not billions, of dollars spent by organizations to secure their assets. I will not try to solve the debate here; however, as a threat hunter, there are certain areas of Offensive Countermeasures, or Active Defense, that can readily be used to track down an adversary—and hopefully before any real damage occurs.
Recently, an update to the long-standing Computer Fraud and Abuse Act (CFAA) (18 USC 1030) was proposed. This draft provides verbiage around “active cyber defense” which talks about the ability for “hacked” victims the ability to attribute and in some cases, stop the attack—and possibly from outside the affected organization. This is being categorized as “hacking back”, which could have ramifications not yet known. In October 2016, a project was conducted by the Center for Cyber & Homeland Security at the George Washington University. The project explored the private sector and use of Active Defense Against Cyber Threats. It is clear that this “grey area” requires some legal guidance, and fast. In the interim of this seemingly lengthy debate, there are areas of Active Defense that can be leveraged today, and within complete legal bounds.
One technique that is becoming new again is that of “deception.” It’s a new phrase, similar to threat hunting, in that it is revitalizing an older practice. In many cases, these deception technologies mimic honeypots and honeynets, where some are more sophisticated means to detect attacks against domain controllers. Gartner recently published the search statistics of their clients who have searched for deception technologies in their system. Since last year, the results are up 6%.
For me these results signal a coming change, which may help organizations get a better grasp on who their adversaries are and what they’re truly after. Like many things, there are varying degrees of deception techniques that can be employed.
Active Defense: A Cyber Continuum of Force
Similar to the Continuum of Force, Active Defense provides guidance on how and when varying degrees of cyber force should be applied. It can also provide an organization the means to apply some techniques and not others based on the tolerance for such behavior by the organization (and the organization’s legal team). In the book Offensive Countermeasures: The Art of Active Defense, the major areas of Active Defense can be broken up into three major categories:
- Annoyance: Techniques that help to frustrate the attacker in hopes they will pick an easier target (you don’t have to outrun the bear, just your friend). You will probably have no problem implementing these techniques today.
- Attribution: Tracking the source of the attacker to an applicable level. This could be country, organization, or even the individual. You would have minimal resistance leveraging these techniques. Google knows your location, why can’t you know the location of someone who is stealing your data?
- Attack: Means to fire back at the attacker. Possibly not engaging in hacking per se, but what if an attacker deliberately scanned your honeypot? Can you then scan them back? You would have a great deal of push-back at the organizational level implementing these techniques today.
Selecting the first two categories are low cost (in both time and money) for a threat hunter to help seed a hunt for more advanced adversaries.
Attribution for the Threat Hunt
One of my favorite areas to focus on as a threat hunter is the attribution category of Active Defense. I’ve often wrestled with the assertion that it doesn’t matter who is attacking you, it just matters that you’re being attacked. Carrying that mindset, IMHO, is doing you and your organization a dis-service. The main reason is because this mindset requires you to be prepared for any and everything. There is no priority and without a priority, alerts will be missed, vulnerabilities will go unpatched, and by the time it is realized, it could be too late to contain the behavior. I have adopted the mindset that knowing who is attacking you can help better understand their targets, motives, and implications to your organization if that adversary is to succeed.
Method One: Seeding with Honey Tokens
If in the course of prioritizing your hunts, you’ve realized that an insider threat or threat posed by an advanced adversary is high on the list, there’s a chance that they could be after confidential or classified material. If hunting is truly the proactive pursuit of abnormal activity that may point to a compromise, intrusion or data exfiltration, then I want to know as soon as possible if any of this behavior has taken place, or will take place. Enter honey tokens. A simple and relatively older concept, they serve as a means to help alert on unwanted behavior as it begins to take place within you network. For example, staging numerous documents that, when opened, produce a call-back to a web-bug-server. The results could be used to help indicate potential discovery and exfiltration. If the source IP address is one that is not from your organization, this could indicate that data exfiltration is occurring (or about to occur). As a hunting concept, the following workflow can serve to better illustrate how the use of a honey token can be leveraged to seed the hunt—especially when looking for insiders.
Another, and very low-cost solution, would be the implementation of Active Domain Active Defenses. What? Basically, one technique is to seed your Active Directory environment with Domain Admins whose logon hours are set to none. Any attempt to logon is a sure bet that something is not right, or in other terms: time to go hunting!
Although fiercely debated, the areas of annoyance and attribution from an Active Defense perspective can derive some great data for a hunt. Many older techniques are being upgraded, such as honeypots, and rebranded as deception technologies. Because each organization’s appetite for interacting with an adversary is different, the continuum of cyber force can be applied with Active Defense. Leveraging these techniques, IMHO, produce outstanding areas to begin focusing the hunt. Stay tuned for part two of this post where more specifics on how to setup some of these techniques and how to pivot from alerts to find potential insiders or advanced adversaries.
For further information:
- Watch Matthew’s Threat Hunting training session on analyzing suspicious network activities.
- View this webinar on threat hunting for misbehaving PowerShell activity.
- Check out his Q&A interview on threat hunting with active defense techniques.
- Read this post on examining network patterns hunting Powershells.