Outsmarting Threat Actors

(OBJ 1.2)

Tactics, Techniques, and Procedures (TTPs)

• One of the most effective ways to learn from the different threat actors that are attacking your network is to set up and utilize deception and disruption technologies.
• Tactics, Techniques, and Procedures (TTPs)
  • Specific methods and patterns of activities or behaviors associated with a particular threat actor or group of threat actors
  • Present how a given adversary operates, used by cybersecurity professional to detect and mitigate attacks

Deceptive and Disruption Technologies

• Technologies designed to mislead, confuse, and divert attackers from critical assets while simultaneously detecting and neutralizing threats

• By creating a dynamic environment or presenting false information.

• Honeypots

  • Decoy system or network set up to attract potential hackers
  • Used to mimic a real system with vulnerabilities
  • Focuses on gathering information about the attackers, motives, or TTPs
  • Honeypots can be used against insider threats to detect internal fraud, snooping, and malpractice
  • Critical to helping cybersecurity researches identify the new types of attacks, malware, and other threats being seeing on the internet
  • To install a honeypot in an enterprise network, place it within a screened subnet or isolated segment that is easily accessed by potential attackers

• Honeynets

  • Network of honeypots to create a more complex system that is designed to mimic an entire network of systems including:
    • Servers
    • Routers
    • Switches
  • Used by large organizations to study the behavior of threat actors
  • Honeynet logs all activities to provide a wealth of data about both successful and unsuccessful attacks
  • Honeypots and honeynets both have risks that the attacker could use to learn how production systems are configured, making it a "double edge sword".

• Honeyfiles

  • Decoy file placed within a system to lure in potential attackers
  • It serves as a trap, and contains fake data and hidden metadata or digital watermarks in the file to attempt to enumerate the attacker's own network
  • When an attacker access the honeyfile, an alert is triggered that notifies the security team of the intrusion, and some honey file have embedded code that allows them to begin enumerating the attacekr's network once the file is open on a computer connected to the attacked network
  • Can be created using any type of file
    • Word-processing documents
    • Spreadsheets
    • Presentation files
    • Images
    • Database files
    • Executables

• Honeytokens

  • Piece of data or a resource that has no legitimate value or use but is monitored for access or use
  • Could be a fake user account, a bogus URL, or a dummy database record
  • Honeytokens are useful for detecting insider threats
    • If a honeytoken is accessed or used, this is a clear indication that a security breach is likely occurring.
    • They have no legitimate use, so any interaction with them is suspicious
  • Example:
    • Creating a user account named Admin or Route
    • If someone tries to login with that account, you will know that they're attacking you (no legitimate user would ever use those credentials)
    • Help with the identification of any data leak pathways and provide us with an early warning of a potential data breach

How to secure our enterprise networks

Some disruption technologies and strategies to help secure our enterprise networks

• Bogus DNS entries
  • Fake Domain Name System entries introduced into your system's DNS server
  • Administrators can mislead attackers into accessing non-existent domains or trap systems to waste the attacker's time and resources while simultaneously alerting the defenders about potential malicious activities.
• Creating decoy directories
  • Fake folders and files placed within a system's storage
  • When unauthorized user attempts to access or modify these directories, the system can raise an alert and the attacker is mislead by false data and made to think that they have successfully gained access to the organization main resources
• Dynamic page generation
  • Used in websites to present ever-changing content to web crawlers to confuse and slow down the threat actor
  • Effective against automated scraping tools or bots trying to index or steal content from your organization's website
• Use of port triggering to hide services
  • Port Triggering
    • Security mechanism where specific services or ports on a network device remain closed until a specific outbound traffic pattern is detected
  • Once a pattern is observed, the service or port is opened temporarily
  • This method ensures that certain services remain invisible and inaccessible to potential attackers scanning for open ports but become available for legitimate users that need it
• Spoofing fake telemetry data
  • When a system detects a network scan is being attempted by an attacker, it can be configured to respond by sending out fake telemetry or network data
  • Data used to confuse an attacker
  • It might report that you are using A windows 11 OS rather than a Mac OS which you are really running