Traditional security isn’t always enough to keep attackers at bay. When it comes to sneaking into networks, detection will often only come after malicious traffic reaches systems such as next-generation firewalls and intrusion detection and prevention systems. Meanwhile, threat actors have free range. But if you can trick the attacker attempting to trick you, it’s a different story.
The first response after detection is often to remove the compromised systems and disable the breached user accounts. The idea is to cut down on further problems and limit any existing risk. Sadly, this approach leaves you with only the artifacts and logs that the attackers decided to leave behind.
Engaging with the attacker will allow you to get more insight into their goals, techniques, tactics and attack paths. You can then use this to strengthen your existing defenses and prevent this specific actor from using the same techniques again.
Intelligent Adversary Engagement
You can choose from multiple tools and frameworks when setting up a strategic adversary engagement. One of these is MITRE Engage, a framework created just to be used for discussing and planning responses to an attacker. That includes engagement, deception and denial. Let’s look at a few notable techniques used to engage with threat actors.
Honeypots mimic real systems with the goal to attract and detect malicious actors in your infrastructure. Think of them as the digital version of bait cars. Honeypots allow system admins and other cybersecurity personnel to detect techniques and tactics used to compromise systems.
Note the difference between high- and low-interaction honeypots. Low-interaction honeypots will help you detect malicious actors in your network. However, they won’t give much insight into their goals and tactics. High-interaction honeypots will allow you to learn more about the attack. This way, you’re simulating the real systems in a more in-depth manner.
A wide range of honeypots are freely available. Which one is right for your needs depends on your infrastructure and goals.
Honeytokens have similar goals as honeypots, but you can use them in different ways. Instead of simulating systems and services, they can be files, credentials, e-mail addresses and URLs that are used to attract the attention of attackers. They alert the security team when someone uses or opens them.
An example of a honeytoken would be a file called Employee_passwords.xlxs. You could place this on any system or file share. When the attacker opens the file, the honeytoken will alert the admin, indicating unwanted access or a data breach.
Honeytokens are easier to set up than honeypots because they don’t require extra infrastructure to run. The tradeoff is that the alerting signals are more limited in the information they provide about the attacker.
Attackers will often use malware to create a foothold into networks. They can deliver it via a wide range of channels. For example, an attacker could directly send malware by e-mail or deploy it directly after gaining access to the infrastructure.
The attacker’s purpose in deploying malware can vary. Usage can range from file encryption as part of an extortion campaign to data exfiltration of sensitive business information via covert channels. Once you’ve caught it, the good guys can execute the malware in a controlled setting to study its behavior. The analysis can help you understand the techniques and goals of the attacker.
Using MITRE Engage and Other Frameworks
Some people see adding an active defense strategy into your existing infrastructure as only suitable for the more security-mature businesses and agencies. This should not be the case anymore with the low integration threshold of today. There are a lot of open-source frameworks out there to help you set up and integrate tools to support this kind of work.
In addition, MITRE Engage will guide you through setting up an adversary engagement operation and help you to strategize, plan, execute and analyze the result.
Set up honeytokens by filling in a form at canarytokens.org and dropping the token on your company’s network share. Also, a huge list of open-source honeypots has been created on Github.
Most of these active defense tools tie directly into existing security information and event management solutions like QRadar from IBM or simpler messaging channels like e-mail. A lot of honeypots will support channels like Slack, Syslog and e-mail for alerting directly to your security operations center or personnel.
In short, planning an intelligent adversary engagement will help your business be more aware of attackers’ goals, techniques, tactics and attack paths. It will also allow you to strengthen the current security integration with data from real-world scenarios. Use MITRE Engage to plan engagements supported by open-source honeypots, honeytokens and malware analysis frameworks.
Threat Management Consultant
Stefan Grimminck is a Threat Management Consultant with IBM Security in the Netherlands. He is passionate about Active Defense, Cloud Security and SIEM devel...