Today’s breaches are overwhelmingly carried out in a series of sophisticated, multi-stage attacks. The stages of such attacks can best be described by a “Cyber Kill Chain,” which as per MITRE ATT&CK Adversary Tactic Model [1] breaks down cyber intrusions into the steps shown in figure 1.0.
Figure 1.0 MITRE ATT&CK Adversary Tactic Model
In the table 1.0, I have discussed six critical multi-stage attacks. I have precisely listed the breadcrumbs and lures that are required at the endpoint and deceptions on the network to detect and divert these threats. The table further lists the conditions which when triggered will raise the alarm for breach and the stage where the threat will get discovered. This stage is as per the ATT&CK Matrix for Enterprise[1]. Based on the nature of the threat, once an alert for a breach is raised it can trigger appropriate automated responses. Examples of responses include: isolation of the infected endpoint, SOC Alert for remediation, etc.
The six threat families considered in this blog are::
- Ransomware[5]
- Crypto Miner[2]
- Breaches leveraging Web Servers for entry [4]
- Destructive malware (such as Shamoon[3] and Petya[6])
- Information stealers
- Password stealers
In our blogs listed in references, we have discussed the exploitation steps of these threats. These threats also have been covered extensively within the research community.
By using a distributed deception platform, two of these threat families (ransomware and password stealers) is detected in the execution phase. The other four are identified during the lateral movement phase when the attacker is attempting to spread to other machines.
Based on the analysis shown in the table following is the takeaway:
- Deception centric architecture detects the second or subsequent stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of the known vulnerability or even socially engineer humans into giving them access via phishing or socially-engineered malware, a deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions.
- In many of the cases such as breaches involving web server, detection of information stealer, detection of crypto miners, detection of destructive malware presented in the table above, distributed deception architecture is capable of detecting threat actor or worm after it has breached an organization before the final intent is completed. The algorithm or the techniques leveraging deception which is used to identify the threat is generic, i.e., it is independent of the purpose of the worm or the threat actor.
The capability of detecting worm or an adversary independent of the first stage and detecting a breach in a generic manner independent of the final intent makes it a recommended architecture to prevent sophisticated breaches.
References
[1] ATT&CK Matrix for Enterprise, https://attack.mitre.org/wiki/Main_Page
[2] WannMine lateral Movement techniques,
/resources/blog/wannmine-lateral-movement-techniques/
[3] How to outfox Shamoon, put deception to work,
/resources/blog/how-to-outfox-shamoon-put-deception-to-work/
[4] Deception Centric Architecture to prevent breaches involving Web Server,
/resources/blog/deception-centric-architecture-to-prevent-breaches-involving-webserver/
[5] Deception centric defense against the Ransomware
. ./resources/blog/deception-centric-defense-against-ransomware/
Authors
