Light Dark
December 30, 2021 By Stefan Grimminck 3 min read
Intelligence & Analytics
Threat Hunting

Traditional security isn’t always enough to keep attackers at bay. When it comes to sneaking into networks, detection will often only come after malicious traffic reaches systems such as next-generation firewalls and intrusion detection and prevention systems. Meanwhile, threat actors have free range. But if you can trick the attacker attempting to trick you, it’s a different story.

The first response after detection is often to remove the compromised systems and disable the breached user accounts. The idea is to cut down on further problems and limit any existing risk. Sadly, this approach leaves you with only the artifacts and logs that the attackers decided to leave behind.

Engaging with the attacker will allow you to get more insight into their goals, techniques, tactics and attack paths. You can then use this to strengthen your existing defenses and prevent this specific actor from using the same techniques again.

Intelligent Adversary Engagement

You can choose from multiple tools and frameworks when setting up a strategic adversary engagement. One of these is MITRE Engage, a framework created just to be used for discussing and planning responses to an attacker. That includes engagement, deception and denial. Let’s look at a few notable techniques used to engage with threat actors.

Honeypots

Honeypots mimic real systems with the goal to attract and detect malicious actors in your infrastructure. Think of them as the digital version of bait cars. Honeypots allow system admins and other cybersecurity personnel to detect techniques and tactics used to compromise systems.

Note the difference between high- and low-interaction honeypots. Low-interaction honeypots will help you detect malicious actors in your network. However, they won’t give much insight into their goals and tactics. High-interaction honeypots will allow you to learn more about the attack. This way, you’re simulating the real systems in a more in-depth manner.

A wide range of honeypots are freely available. Which one is right for your needs depends on your infrastructure and goals.

Honeytokens

Honeytokens have similar goals as honeypots, but you can use them in different ways. Instead of simulating systems and services, they can be files, credentials, e-mail addresses and URLs that are used to attract the attention of attackers. They alert the security team when someone uses or opens them.

An example of a honeytoken would be a file called Employee_passwords.xlxs. You could place this on any system or file share. When the attacker opens the file, the honeytoken will alert the admin, indicating unwanted access or a data breach.

Honeytokens are easier to set up than honeypots because they don’t require extra infrastructure to run. The tradeoff is that the alerting signals are more limited in the information they provide about the attacker.

Controlled Malware

Attackers will often use malware to create a foothold into networks. They can deliver it via a wide range of channels. For example, an attacker could directly send malware by e-mail or deploy it directly after gaining access to the infrastructure.

The attacker’s purpose in deploying malware can vary. Usage can range from file encryption as part of an extortion campaign to data exfiltration of sensitive business information via covert channels. Once you’ve caught it, the good guys can execute the malware in a controlled setting to study its behavior. The analysis can help you understand the techniques and goals of the attacker.

Using MITRE Engage and Other Frameworks

Some people see adding an active defense strategy into your existing infrastructure as only suitable for the more security-mature businesses and agencies. This should not be the case anymore with the low integration threshold of today. There are a lot of open-source frameworks out there to help you set up and integrate tools to support this kind of work.

In addition, MITRE Engage will guide you through setting up an adversary engagement operation and help you to strategize, plan, execute and analyze the result.

Set up honeytokens by filling in a form at canarytokens.org and dropping the token on your company’s network share. Also, a huge list of open-source honeypots has been created on Github.

Most of these active defense tools tie directly into existing security information and event management solutions like QRadar from IBM or simpler messaging channels like e-mail. A lot of honeypots will support channels like Slack, Syslog and e-mail for alerting directly to your security operations center or personnel.

What’s Next?

In short, planning an intelligent adversary engagement will help your business be more aware of attackers’ goals, techniques, tactics and attack paths. It will also allow you to strengthen the current security integration with data from real-world scenarios. Use MITRE Engage to plan engagements supported by open-source honeypots, honeytokens and malware analysis frameworks.

 |  |  |  |  |  |  |  | 
Stefan Grimminck
Threat Management Consultant

More from Intelligence & Analytics
September 5, 2024

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

August 21, 2024

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature