Acalvio Logo

Today’s breaches are predominantly carried out in a series of sophisticated, multi-stage attacks. The stages involved in such an attack can best be described by a “Cyber Kill Chain”. This, as per MITRE ATT&CK Adversary Tactic Model [11] breaks down cyber intrusions into the steps shown in the following figure.

As discussed in the previous blogs and the white paper deception solution deploys breadcrumbs and lures at the endpoint. These breadcrumbs and lures can be :

  • Honey authentication values in the browsers such as adding honey authentication in “HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\IntelliForms\Storage2” for IE7, honey authentication values at “\Local\Google\Chrome\User Data\Default\Login Data” for Chrome etc..
  • Honey mapped drives
  • Honey entries in the ARP cache
  • Honey RDP links,
  • Honey entries in the keychain
  • Honey entries in the files such as password files under %APPDATA% folder.
  • Honey entries in the active directory
  • Honey connection from the Endpoint / Web Server to the services such as databases in the network,
  • Honey email addresses in the address book of Outlook,
  • Honey DNS server,
  • Honey authentication values in the processes such as lsass.

These end-point lures point to the honey services such as SMB, FTP, Databases in the subnet. Since the static breadcrumbs are interspersed with the real endpoint assets, there is always a possibility of legitimate assets getting used by a threat actor. This problem of legitimate assets getting used by the threat actor can be reduced by increasing the density of the breadcrumbs and lures at the endpoint.

If there are “m” legitimate services and “n” honey services then if  { [ m / (n + m) ] <= 0.001} it will ensure the probability of accessing legitimate services remains less than equal to 0.1 %.

In our previous blog, we analyzed six prevalent worms and malware. We discussed the precise breadcrumbs and lures that are required at the endpoint and honey services in the network and the conditions that will lead to their detection. In the following table 1.0, we have taken three breadcrumbs and listed the breaches that could have been diverted by using these breadcrumbs. The three breadcrumbs which we have considered are honey entries in the ARP cache, honey mapped drives and honey passwords in the browser and in the processes such as lsass. The reports of these breaches have been published publicly and are mentioned in the references.

From the above table we can draw the following inferences:

  • The deception platform gets triggered during the Credential Access, Discovery, Lateral Movement phases. Hence it complements other defenses which get triggered during the Initial Access, Execution, Persistence, Privilege Escalation, Defensive Evasion phases. These phases are as per the MITRE ATT&CK Matrix for the Enterprise.
  • In some of the breaches, for example, Orangeworm [1] reported on April 23rd, 2018,  targeting hospitals, a deception platform would have been able to divert the multi-stage attack at multiple places by having honey entries in the ARP cache and also by having honey drives.

These inferences make deception based architecture a recommended architecture to prevent modern-day breaches.


[1] New Orangeworm attack group targets the healthcare sector in the U.S. , Europ, and Asia
[2] APT 37 The overlooked North Korean Actor,
[3]  Bronze Butler Targets Japenese Enterproses
[4] A window into Russian Cyber Espionage Operations ?
[5]Cozy Duke,
[7]Operation Cleaver,
[8] Muddying The Water : Targeted Attacks in The Middle East
[9] Monsooon Campaign
[10] Leviathan
[11] Mitre ATT&CK Adversary Model,
[12] Stealth Falcon,