In-brief: In this opinion piece, Nitsan Saddan, the head of threat intelligence research at the firm Cymmetria, says that recent revelations about the methods used to hack the cyber arms dealers The Hacking Team underscore the importance of deception as an element of cyber defense.
Last July was a very bad month for the controversial spyware vendor Hacking Team. The company, which sells network surveillance tools to governments, was breached and all of its secrets were exposed. The hacker behind the breach calls himself Phineas Fisher, last month told the world just how he managed to succeed, publishing a Pastebin note, in which he details his tools, tactics, and procedures.. In the process, s/he gave the security industry a rare glimpse into an attacker’s decision-making process.
The tools that he used are relatively common among skilled cybercriminals, and many of them use similar methods to steal data. Let’s put Phineas Fisher’s operations against multi-layered deception tactics – and see if he (and attackers using similar tactics) could have been fooled. All the decoys described here can be manually instrumented, using either open source or proprietary solutions.
Derailing the Initial Approach
Phineas Fisher collected initial information about his target’s network using basic tools. He used Fierce, theHarvester, and recon-ng to find the company’s subdomains, which he validated using Whois.com. He then used Zmap, Masscan, WhatWeb, and blindElephant to perform Nmap scans, knowing that Hacking Team’s IDS wouldn’t be a problem, since web-facing sites are scanned all the time.
It’s important to note that the tools the hacker used are automatic, and can’t tell the difference between a real target and a fake one.
Deception Technique: The hacker is, at this point, just snooping for a way to get in; so the network defender could have presented them with a hackable website: a decoy, created to appear as an old version of the company’s website and located within the relevant IP range, redirecting legitimate visitors to the real site. Phineas Fisher’s tools would show him the decoy as a way in, and he would step into the trap. Stopping an attacker prior to network compromise is obviously the best of all outcomes, as it prevents disclosure of any non public information.
Decoys during Network Intrusion
Phineas Fisher mentioned several entrance possibilities, including purchasing access to an existing compromised machine through crimeware markets, and spear phishing – most “advanced” adversaries’ favorite vector. In fact: Phineas chose a different way in: via a zero-day vulnerability for an undisclosed embedded system (the router, VPN or spam filter). Once he had a beachhead, the Phineas Fisher hacker studied the target’s network using Nmap scans and Responder.py, a free tool for exploiting vulnerabilities in common network configurations.
Phineas kept his scans slow, to decrease the chance of detection. He found two MongoDB servers, which were used for tests in the company, and a server with VM backups – some of which were exchange servers containing emails. Phineas just stole the VM’s hard drive, filled with company files.
Deception Technique: At this stage, the attacker exposed himself to several types of decoys, all of which could have detected him:
- File and DB servers: These could have easily attracted the attacker; he would have found these while looking for lateral movement options. Using these types of files for lateral movement is actually the attacker’s MO. If the decoy was another MongoDB server with similar designation, the attacker would have picked it up with his scan as he picked up the real servers, reach it and be detected.
- Backup server: Backup servers are considered to be useful lead generators by attackers, and are targeted in order to find available data. A decoy representing an old backup server (with a name that implies particular year or project, i.e. Project_vulcan2008-draft) would flush out the attacker; he’d try to see if it holds relevant passwords, shared folders or data, and got caught.
- SharePoint server: As a company’s knowledge bank, this server must be available to many departments in the organization. The attacker, looking for sensitive data, may treat such a server as a lead generator. He would be tempted to take a peek, in order to find relevant projects and other company assent to focus his operation and decrease the chance of exposure just wondering around the network.
Backup and Domain Admin as Lures
In the next phase, Phineas escalated his privileges: he used LSAdump to scan the backup server’s logs, and found a valid password connected to a BlackBerry service. After escalating his privileges on that machine, he was able to get more passwords – one of which was that of a domain admin.
While searching for sensitive company data, Phineas discovered the company’s Revision Control System (RCS); however, it was on a separate network he couldn’t access. In order to gain access, he tried elevating his privileges to a sysadmin level by looking for credentials belonging to a specific senior Hacking Team member. Phineas assumed that this user would have sysadmin privileges and access to the company’s most sensitive secrets.
Deception Technique: At this stage, Phineas isn’t really hiding. He doesn’t run scans, but simply uses his compromised account to move around the network as a legitimate user. This makes him particularly vulnerable to deception elements placed around the network. The same decoys I’ve mentioned could still be effective; in the previous stage, the attacker was vulnerable while he was looking for useful credentials to use to look for data across the network. Now he’s got these credentials, and is more likely to take the bait as he’s looking for his actual targets.
Also, since many advanced attackers’ MO involves locating and compromising a sysadmin’s machine or credentials, a smart defender can create a decoy sysadmin machine – with the relevant RDP and SSH decoy services. Such a machine can be connected to other decoys (if the deception platform supports it), in order to present the attacker with a continuous attack surface.
The Crown Jewels
Eventually, Phineas logged into the senior member’s computer as a domain admin, and then ran a WMI process which enabled him to install a keylogger. Then, he got the needed passwords and elevated his credentials to sysadmin level. From there, the road to Hacking Team’s RCS and its source code was open.
At this stage, the attacker has all he needs to take whatever he wants without worrying about IDS or other security measures. Once the attacker entered the internal network on which the revision control system was located, he considers everything he sees there as critical company assets. This is, after all, the most protected network element he encountered during his operation.
Deception Technique: At this late stage in the hack, deception is just about the only kind of security element that can still detect and intercept an attacker. A decoy emulating a database server inside that network – right next to the RCS – would have caused the attacker to tip his hand. While considerable damage has already occurred at this stage, the victim organization has at least been alerted to the breach and can begin to investigate, cut off access and do damage control.
We can see that a layered deception plan could have prevented the Hacking Team breach. It can also decrease the chance of successful data theft in other organizations. Even if the attackers used an existing compromised machine or a spear phishing vector, the right decoys could still tempt and expose them.