Skip to main content

‘Deceive the deceivers’: Defeating credential-based attacks with deception and concealment

(Image credit: Shutterstock / Golden Sikorka)

Deception is one of the most effective techniques in an attacker’s armory because it targets the weakest link in any IT security system: humans. Attackers who manage to trick one unfortunate employee into handing over a password can infiltrate even an organization with seemingly impenetrable defenses, allowing them to access the network and remain hidden. However, it’s not just the bad guys who can use deception and concealment techniques to their advantage. These capabilities are valuable tools for defenders, effective at stopping adversaries in their tracks.

For instance, organizations can combat credential-based attacks with clever, targeted deception. These attacks are a growing concern for CISOs and SOC staff in the remote-working era, with statistics released this year making for worrying reading. An estimated 15 billion usernames and passwords are now available to buy on the Dark Web, with more gathered from data breaches added on an almost daily basis. If your colleagues’ credentials are out there for sale - and there’s every chance they could be - your company’s security is at risk. Even if you’re feeling safe because your organization has not suffered a significant breach, you’re not out of the woods yet. Employee credentials could be available on the Dark Web, waiting for use in credential stuffing attacks where attackers use passwords obtained from a data breach on one service to log into another.

From defense to deception

The notion of tricking attackers is growing in popularity, particularly as organizations grapple with remote work challenges. Deception technology started to roll out as early as 2015, but it’s growing in use over the past year as companies and organizations have begun to realize its potential. Deception and concealment technologies allow security professionals to “deceive the deceivers” after a threat actor has gained access.

Once an attacker has penetrated a system, they will look for credentials and seek lateral movement opportunities.  This stage of the attack is when they are most vulnerable, and when defenders can leverage deception. Security staff could hide decoy credentials within endpoints or other tempting targets throughout the broader network to prepare for an attack. Once attackers access and use these credentials, defenders are alerted and can take appropriate steps.

Organizations can use this approach to defend against credential theft and reuse. Defenders can also seed false information within Active Directory controllers or their query results, misdirecting attackers from real objects instead of allowing them to escalate their privileges successfully. They could also seed locally stored deceptive user data to foil attacks that steal credentials from browsers or keychains. Another approach involves deploying network decoys, which trigger an alert when attackers perform network discovery activity, allowing defenders to take immediate defensive action.

Intelligent security

Threat intelligence can help organizations prepare for credential-based attacks by giving them insight into whether their logins are available to criminals on the Dark Web. Sadly, attackers have many other ways to steal passwords. For instance, they could compromise one of the many insecure endpoints that have opened up in the past year due to the rise of remote working before stealing and reusing credentials to gain access and move laterally. We’d all hope that staff working at home will protect their systems with the same rigor as their IT departments lockdown office-based devices. However, this best-case scenario is unlikely because there will likely always be human error that allows attackers to get in.

Working from home is a dream for many employees, but a nightmare for CISOs. Data published in the Verizon Data Breach Investigations Report revealed that attacks on web apps made up 43 percent of breaches in 2020, which is more than twice the last year. Of these attacks, 80 percent involved stolen or brute-forced credentials. “As workflows move to cloud services, it makes sense for attackers to follow,” Verizon wrote.

Defenders can use these insecure endpoints, which appear so tempting to attackers, against them. They can seed remote devices with packages of authentic-looking Active Directory (AD) and VPN credentials, designed to enable defenders to detect an attack. These deceptive credentials lure attackers into engaging with decoys and revealing themselves. They also allow defenders to misdirect an attack, giving organizations time to detect, analyze, and stop an attacker.

Know your enemy

To illustrate one of the key capabilities of deception and concealment technology, let’s imagine a hypothetical situation in which an adversary has broken into your network using a unique spear-phishing email that wasn’t picked up by prevention tools. The first thing this attacker is likely to do after gaining access is to search the system to find credentials to escalate their privileges. If defenders take the easy route and place deceptive Active Directory credentials within easy reach, the attacker will try to validate this information and trigger an alert. However, a better approach would be to have the credentials validate against a fake AD environment or alter the results of legitimate AD queries to return counterfeit data that point to the decoy environment while hiding real information. These advanced methods maintain the deception while generating early alerts and preserving the defenders’ abilities to collect adversary intelligence. They also lead the attackers directly to the hall of mirrors for engagement without tipping them off that they are in a decoy environment.

Whilst the adversary is lost in the hall of mirrors created with deception and concealment technology, the decoys record their activities. Analysts can then observe their behavior and gather vital intelligence, which they can use to enhance their organization’s entire security posture. By analyzing an adversary’s use of tools or exploits and the files or directories they access, defenders can collect and develop threat intelligence. They can then integrate this intelligence with existing defenses to allow for automated remediation through playbooks, orchestration, or other tools. Once in place, these automated responses address threats quickly, freeing up the incident responders’ time, increasing efficiencies, and reducing workloads while accelerating incident response. 

By watching how our hypothetical attacker works whilst ensnared in a deceptive framework, defenders can also gather intelligence about their systems, using their observations to highlight gaps in defenses and gain visibility to any unexpected attack paths. For, as the ancient Chinese philosopher Sun Tzu famously wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Carolyn Crandall, CMO and Chief Security Advocate, Attivo Networks (opens in new tab)

Carolyn is a technology executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries. Carolyn is recognized as a global thought leader on technology trends and for building strategies that connect technology with customers to solve difficult information technology challenges.