The average ransomware loss hit $353,000 this year 📈

3 methods of cyber deception: Bait the attacker to turn the tables on ransomware

Featured Image for 3 methods of cyber deception: Bait the attacker to turn the tables on ransomware

At this stage of the game, ransomware probably doesn’t need too much of an introduction. Recent media saturation — Colonial Pipeline, Steamship Authority of Massachusetts, JBS, and the Washington DC Metropolitan Police Department — ensures the severity of ransomware attacks is not lost on anyone. Pundits have even wondered if cybersecurity insurance makes ransomware worse. But are we utterly powerless in the face of ransomware?

Infamous beginnings

As an incident responder, I entered the cybersecurity world in early-2016 when ransomware was just starting to gain celebrity status. My first ransomware case involved a brown paper bag with $300 cash, a crypto dealer on a street corner, and a one bitcoin transaction to an attacker. Thankfully, since then, purchasing cryptocurrency has become a lot more conventional. But unfortunately, so has ransomware. Over the years, I’ve witnessed the evolution of ransomware. The attack patterns have become stealthier, the severity higher, the ransoms more extravagant, and the attackers more sophisticated.

Ransomware is here to stay. It is remarkably profitable and offers an immediate monetization of cyber crime.

According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

What does this mean? Attackers have two objectives: encrypt your data so that they’re inaccessible to you for business operations, and threaten reputational harm by exposing your private and sensitive information to strong-arm you into paying a ransom.

Fighting back against a growing threat

Our industry is starting to see the beginnings of technical measures and tools that will deal with unauthorized file activity, such as ransomware encryption. Organizations across the board are getting better at implementing and maintaining robust backups if their data falls victim to encryption. But ransomware has evolved beyond just encryption. The technical measures for detecting and stopping data exfiltration from taking place are still incredibly limited.

In the early days of ransomware, our industry failed to take adversaries seriously, instead opting to paint them as amateurs with low technical capabilities. We created this devalued mental model of a ransomware hacker that’s shaped the stereotype of an opportunistic “n00b” who poses no serious threat. In my experience, this is no longer an accurate perception. Darkside, Conti, Ryuk, REvil are not amateurs. On the contrary, these are highly trained, professional, technologically savvy, well-funded groups that run sophisticated operations. And they’re excellent at maintaining stealth and flying under the radar.

Working in IR and having handled hundreds of ransomware cases, I’ve more often than not observed ransomware actors dance around security products, including Endpoint Detection and Response (EDR) solutions. That is because malicious actors are using tried and tested techniques that enable them to evade detection. Their attack patterns often include strategies such as slow-paced password spraying, which can easily dodge user and entity behavior analytics (UEBA) detections, and VPN access to gain entry to the environment.

Other common wins include Active Directory (AD) takeovers, Kerberos attacks, and group policy compromises, which we see being used constantly and unfailingly by ransomware actors to skirt around security products. So, by operating with the mindset that all your preventative measures will inevitably fail, what safety next exists to prevent an enterprise-wide catastrophe after an attacker gains a post-exploitation foothold into your environment?

Honey attracts more bees than vinegar

Or as I like to call it, baiting the attacker. The concept of cyber deception involves the implementation of multiple points of deception in the right places across the network to accurately and immediately detect when an intrusion has taken place. Through cyber deception you prevent the compromise of one system or account from evolving into an entire domain takedown.

This is the fundamental difference between a minor irritation and a million-dollar ransom, business interruption and blackout, significant reputational harm and lots and lots of explaining.

Once a malicious actor gains access to an endpoint, they will always attempt to pivot laterally to critical infrastructure and escalate their privileges for a complete network takedown. Using cyber deception, you can shut down their attack pathways post-exploitation and stop them in their tracks before such lateral movement is carried out successfully. And the best part is that these deception techniques are free and incredibly simple to implement.

1. Honey Account

When an attacker first obtains a foothold to a workstation, they will attempt to access a user account with higher permissions, such as an administrator account. To achieve this, attackers commonly use domain password spraying and Kerberoasting, a post-exploitation attack that extracts service account credential hashes from AD for offline cracking. Once the attacker has successfully compromised several user accounts, they will attempt to access an admin account. So, if we know they’re looking for administrator accounts, let’s give them one.

Start by setting up a few honey accounts in the AD. They can be named something obvious such as “admin,” “adm,” or “administrator.domain,” and have their passwords be set to 20 characters (or as long as possible). Next, log into the honey accounts as the login time needs to be updated to ensure that these appear valid. Afterwards, disable the logon hours for the account, which means you effectively have an administrator account that’s been disabled. All this should take around 10 minutes to set up, and then you wait.

As soon as someone tries to log into one of the accounts, an alert will be triggered, which will allow you to isolate the system and shut down the attack path immediately. The attacker does not have to actually log into the accounts for this deception technique to work; it is detectable as soon as they try to authenticate to the honey accounts.

2. Honey Docs

Taking further advantage of the typical attack trajectories executed by ransomware actors, it comes as no surprise that attackers will always look for documents within the network containing credential and password information. Welcome to honey docs — guaranteed to be more effective than any data loss prevention (DLP) software for detecting and stopping malicious intruders.

Honey docs can be as simple as a Microsoft Word or Google Docs file named “passwords.” The honey doc will be equipped with a detection token (honeytoken) designed to detect when it is clicked, shared, or interacted with in some way. The honey doc will trigger an alert as soon as someone attempts to open it, allowing you to shut down the attack right away.

Scatter these honey docs on local disks, file shares, cloud storage, websites, etc. — all areas where attackers like to snoop. You can even set up a network capture to sniff server message block (SMB) transmissions to grab attribution information such as IP address, system name, and password hash. Bonus! This technique carries a low false-positive rate as it leverages the fact that attackers will always pivot within a network. Setting up honey docs is entirely free and takes an hour at most. If you’re looking for a quick solution to get you started, Canarytoken is a free tool that makes generating honey docs a breeze.

3. Network Analysis

It takes time to pivot around an environment. Attackers are excellent at exercising patience, and they are diligent about learning the ins and outs of their target organizations, including management hierarchy. They perform network reconnaissance, scope out user behaviors, and figure out the best way in which they can inflict maximum damage. The period between the initial intrusion and when the attackers reveal themselves to the victim is called the dwell time, and the dwell time for ransomware attacks has not improved over the years. I’ve seen ransomware actors remain in the network for months and even up to a year in advance of the ransomware encryption event.

Second-stage payloads such as Cobalt Strike are now pedestrian in ransomware attack paths; they reside in memory, are fileless, and write very little to disk, making them incredibly stealthy and difficult to spot. Once an attacker establishes a malicious foothold to the target network, they will attempt to communicate with their command and control infrastructure to advance the attack. Furthermore, malicious actors commonly inject backdoors that can effortlessly bypass signature-based detection measures. These are the kinds of activities you want to detect and block before data exfiltration takes place. Should the attack successfully execute the initial beacon, such as during domain fronting or an activated SolarWinds hack, the single most robust detection technique in these scenarios is through analysis of the network traffic. There are many excellent open-source frameworks out there for network monitoring and traffic analysis. One such tool is Real Intelligence Threat Analytics, or RITA, by Active Countermeasures that has proven to be highly effective in identifying signals of beaconing activities in and out of your network, thereby reducing dwell time.

The final word

These are just three easy and free methods to bait back actors using their known behavioral patterns, hopefully stopping them in their tracks. We’re now at a point where the inclusion of cyber deception techniques in your network defense strategy is no longer a nice-to-have but an essential component of the core security structure.

As an industry, we need to quit treating cyber deception as the last element of consideration after patching, firewall, EDR, XDR, DLP, laser beams, and whatever else. Instead, we must bake cyber deception into our security conversations from the start, and this all begins with a shift in mindset.

If you're interested in learning more about Shelley Ma and her digital forensics and incident response journey, check out her Q&A. Download the 2021 Coalition Cybersecurity Guide for more cybersecurity best practices and tips to begin mitigating your organization's risk.