Catching attackers in their tracks sounds harder than it actually could be. Last week MSSP Dell Secureworks launched what it called the “open source honeytoken tripwire” DCEPT, to prevent those attacks which do not use malware.
The concept of an attack not using malware, and instead using breached or stolen credentials does make sense. After all, major breaches have leaked millions of usernames and passwords and despite the advice to change details, it seems not all users do so. In conversation with Dell Secureworks, product management team lead Mark Wood told me that as many as 40% of attacks do not use malware anymore.
Instead, Wood said that a more effective way of catching attackers is to get them in and catch them in a trap when they are not using brute force to get in, instead using employee credentials as a more efficient way in.
“Once on that, they go after the domain architecture, scrape it and connect it up to their domain, and that is probably as bad as it gets as a potential even so it is about how to detect that,” he said. “This is a honeytoken, which is different from a honeypot as it is a small part of it with a deception tactic.
“We figure out solutions to do this as there are no free tools to deploy a honeypot easily, so we built a tool for it.”
DCEPT is a proof-of-concept honeytoken-based Active Directory intrusion detection system (DCEPT stands for Domain Controller Enticing Password Tripwire) and provides insight into detecting when a domain privilege escalation is being attempted.
Joe Stewart, Director of Malware Research at Dell SecureWorks, was keen to stress that this is not a honeypot, “just a trap we set to try to get someone attacking into a network”. He said that a honeypot is much more vertical system, while with the honeytoken you are catching one little asset with a tripwire.
He said that the honeytoken was about getting the attacker to reveal themselves when they try to use the tool to capture domain administrator credentials. “This is common by hackers as they try to get those credentials out of the memory,” he said.
“So we put in a set of fake credentials and have a system of listening to the network at the domain controller level and see where the fake credentials were used, and this can tell us which pathway is used and tell the user when attackers are using that.”
Joe admitted that this is a better way of capturing an attacker, as by giving out fake credentials on a network and see what computer they are trying to escalate to in order to gain domain administrator privilege is better than decrypting a password file.
I asked James Bettke, Research Advisor at Dell SecureWorks, on where the fake credentials are stored, are they in the honeytoken? He said that they are carried in an agent as it is a fake credential that is unique, unlike a honeypot. Does it give any access at all? Bettke said no, as using it will result in a failed login.
“It is just a file, it is cached inside the Windows login cache and in a proper place; it is not just a document that we hope you will find,” he said.
This technology has been made available as open source and via Github. DCEPT consists of three parts: an agent that puts a honeytoken domain administrator password into memory on endpoints; a network service that generates unique honeytokens at the request of an agent; and a sniffer service that looks at network traffic for signs that the honeytoken password is being sent in an authentication request.
Wood said that even if an attacker using valid credentials is spotted and if you kick them out, you will see them repeatedly come back.
As an MSSP, the company does not have a pedigree for launching solutions, but also added the advanced endpoint detection technology Red Cloak last week too, which Wood told me is about getting better analysis on the use of credentials, and not just relying on the presence of malware.
“This uses pre-existing power and it works in ways to trip up the attacker,” he said. “Once you trip something, you can go back and look at the exploit path and that is knowledge you can use in incident response.” He explained that if a tripwire is broken, Red Cloak can alert and aid the investigation before the attacker begins stealing data.